Creating stuff is hard. Breaking stuff is easy. Thus, I take frequent breaks from creating stuff in order to break stuff.
Behold my latest hackery: FillDisk.com. Fill up your hard disk with just a single click!
How to troll using HTML5
The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB).
localStorage is awesome because it’s supported in all modern browsers (Chrome, Firefox 3.5+, Safari 4+, IE 8+, etc.).
The standard anticipated that sites might abuse this feature and advised that browsers limit the total amount of storage space that each origin could use. Quoting from the spec:
User agents should limit the total amount of space allowed for storage areas.
The current limits are:
- 2.5 MB per origin in Google Chrome
- 5 MB per origin in Mozilla Firefox and Opera
- 10 MB per origin in Internet Explorer
However, what if we get clever and make lots of subdomains like
3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. Quoting the spec, again:
User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit.
A mostly arbitrary limit of five megabytes per origin is recommended.
However, Chrome, Safari, and IE currently do not implement any such “affiliated site” storage limit. Thus, cleverly coded websites, like FillDisk.com, have effectively unlimited storage space on visitor’s computers.
- Fills up the user’s hard disk on Chrome, Safari (iOS and desktop), and IE.
- Fills up 1 GB every 16 seconds on my Macbook Pro Retina (with solid state drive)
- Tested with Chrome 25, Safari 6, IE 10.
- For 32-bit browsers, like Chrome, the entire browser may crash before the disk is filled.
- Does not work on Firefox, since Firefox’s implementation of localStorage is smarter.
- Includes a button to reclaim your disk space ;)
Let’s fix this
Here are the bug reports I filed with Google, Apple, Microsoft, and Opera:
- Chromium bug report
- Apple bug report (on an unoffical site, since Apple doesn’t acknowledge their bugs publicly. So lame.)
How do I file a bug on IE? Their [bug report](http://connect.microsoft.com/IE) page is broken.
Microsoft bug report (requires login)
- Opera bug report (bug ID: DSK-383073, it’s private) - fills to 75MB in my testing, which isn’t so bad.
You can help get this issue get fixed quickly (on Chrome at least) by visiting the bug report pages and chiming in (starring) so that Google prioritizes this issue.
Update (Mar 13, 2013)
In the news:
Ars Technica says this “could become a new form of Rick Roll”. Let’s hope not. :)
Answers to some common questions I’ve been getting:
How did you find this HTML5 weakness?
To be clear, this is not an issue with HTML5, so calling it an “HTML5 weakness” is not accurate. It’s a bug in the way that most browsers (Chrome, Internet Explorer, and Safari) have implemented the HTML5 Web Storage standard. It’s the fault of the browsers, not the HTML5 spec.
I usually don’t spend my time actively looking for security bugs – I just frequently run into them while programming. In the case of the localStorage bug, I found it while working on a project that utilizes localStorage. I was curious if there was some way to store more than 2.5-10 MB using the API, and using multiple site “origins” by creating tons of subdomains was the first thing that came to mind.
You mention Firefox uses localStorage and that it’s better but is there a reason for this?
Firefox simply places a 10 MB cap on the amount of space that any domain can store using localStorage. So, origins like 1.filldisk.com and 2.filldisk.com, etc. must all share 10MB of space. Making new subdomains doesn’t give you more space.
Have you had any followup since leaving the bug reports for Google, Opera, Apple and Microsoft?
903 people starred the Chromium bug report I created, making it the 9th most starred bug in all of Chromium. The Chrome devs have responded and are working on a fix, though it’s unclear when it will be ready. Apple has not responded, because, well, they’re Apple. Microsoft has responded that they “will be investigating this issue further”.
So, it seems that the issue will be fixed at some point, though it doesn’t appear to be a top priority for browser vendors at the moment.
You can discuss, upvote, or poke fun at this post over at Hacker News.
(If you liked this, you might like Freedom of Speech on the Internet.)