IT Safety News - Your source for network security news, opinion, product comparisons and reviews. Virus, Worms, Antivirus and Security Information.
Friday, March 1, 2013
How to fill the free space on your hard drive without your knowledge
Programmer Feross Aboukhadijeh specializing in web applications, created and demonstrated in surprisingly effective exploit for Web Storage technology. On his website, with the eloquent title FillDisk.com developer showed how a browser to fill the free space on your hard drive without your knowledge.
Be warned - do not visit the site without FillDisk.com needlessly. Vulnerability to unauthorized downloading an almost unlimited amount of data subject to such actual browsers like Chrome, Safari and IE. In one experiment, the developer himself found that every 16 seconds a site loads FillDisk.com 1GB of meaningless data on SSD laptop MacBook Pro Retina.
Unusual features of the site FillDisk.com built on the manipulation of technology Web Storage, included in the specification of HTML5. Standard Web Storage is designed to facilitate the work of the web sites by enabling store frequently used data on the local hard disk by. This can be useful when filling long web forms: if the browser unexpectedly quits already entered data will remain safe and sound when a visitor goes to the same page the next time. The authors specifically warn standard browser developers, so they called for restrictions on the case of abuse of this feature.
Of course, browsers, Chrome, IE and Safari have limits on the amount of downloads for local data storage, but this restriction applies only to individual subdomains, but not at a higher level domains. Site work is based on using FillDisk.com many subdomains form «1.filldisk.com», «2.filldisk.com» and so on, to give the maximum amount of data on the hard disk by. Of all the browsers that have experienced Abuhadizhi on the site, only Mozilla Firefox was able to implement controls and stop loading. Also the author exploit notes that the implementation of such dangerous techniques proved to be quite simple.
To avoid imposing an unnecessary guilt on browser developers to bear and to FillDisk.com, it should be noted that the exploit does not expose personal information, and do not allow the remote execution of malicious code. Compared with many other vulnerabilities, shown on the website FillDisk.com exploit can be described as insignificant. At the same time, it is easy to attackers who will send out malicious links if only to annoy people, and in some cases (not confirmed for a few most popular versions of Chrome) may crash the browser.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment