Ghost of HTML5 future: Web browser botnets
With great power comes great responsibility ... to not pwn the interweb
By John Leyden • In Security • At 08:01 GMT 27th April 2012
During a presentation at the B-Sides Conference in London on Wednesday, Robert McArdle, a senior threat researcher at Trend Micro, outlined how the revamped markup language could be used to launch browser-based botnets and other attacks. The new features in HTML5 - from WebSockets to cross-origin requests - could send tremors through the information security battleground and turn the likes of Chrome and Firefox into complete cybercrime toolkits.
Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.
Additional dangers involve social engineering using HTML5's customisable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can be created using the technique, McArdle said.
"The good stuff in HTML5 outweighs the bad," he added. "We haven't seen the bad guys doing anything bad with HTML5 but nonetheless it's good to think ahead and develop defences."
Web developers should make sure that their sites are not vulnerable to Cross-Origin Resource sharing, cross-domain messaging or local storage attacks, McArdle advises. Utilities such as NoScript can also help punters.
More details on HTML5 attack scenarios and possible defences can be found on html5security.org, a website devoted to the topic. ®