HTML5 poses security risks

DESPITE THE FACT that its well on its track to becoming a standard, HTML5 remains plagued by security issues that place users at risk.

According to a newly published report by the European Union cyber security agency ENISA, the security threats aren't small - there are at least 50 of them. HTML5's current specifications have flaws that range from weaknesses in the Cross-Origin Resource Sharing (CORS) implementation to features that render click jacking mitigation methods unusable.

CORS, a specification that allows clients to securely mix resources from multiple domains, opens an attack surface on legacy servers that can't understand the corresponding requests. This enables attackers to trigger cross-domain APIs.

HTML5's web messaging specification also has cross-origin issues. For one, it doesn't provide a mechanism for a frame that exchanges content with a second one securely, to prevent it from passing it to a third untrusted origin.

The security risks raised by CORS are not new. A year ago security researcher Matt Austin explained how this HTML5 feature can render old code insecure. He proved this concept on touch.facebook.com, Facebook's web site for touch devices, where the code proved vulnerable to this weakness.

By exploiting this issue, he was able to post messages from the accounts of Facebook users who simply visited a specially-crafted web page. Worse still, his attack was invisible to the affected website because it was executed client-side, within the web browser.

Researchers have found that the HTML5 specification that allows remote services to be registered as content handlers fails to properly inform users. This potentially allows a service to remain registered as a protocol handler indefinitely.

The HTML5 standard also makes it harder to protect against clickjacking, a form of web attack that relies on using legitimate web techniques to hide and overlap buttons in a malicious manner. A common clickjacking mitigation method is to use Javascript code that prevents windows from being framed.

This is known as frame busting and is rendered useless by the HTML5 i-frame sandbox option. Attackers can also more easily trick users into submitting sensitive data to a destination under their control thanks to the HTML5 capability of using buttons outside forms.

The new standard also puts user privacy at risk because of a feature known as cache polling that allows attackers to retrieve people's last location, as well as the time when they were in that location, through the geolocation cache API.

Hopefully, the W3C working groups involved in the development of HTML5 will address these security issues as soon as possible so that browser developers can implement the fixes and protect their users. However, many of the affected specifications are already supported by most browsers. µ