This post is the second of a 3-part series of blog entries on HTML5. You can also check the first part: HTML – The Good.
Yesterday, we started the first of a three-part series investigating the new HTML5 standard. We started this by looking at some of the new features which are going to improve how we can interact with the Web.
In today’s post, we will look at how some of the features of HTML5 can be misused by attackers. This post is not meant to be an exhaustive list, but if you are interested in more details we will be releasing an in-depth paper on HTML5 Attacks tomorrow.
Below, in no particular order, are 5 new attacks made possible by features introduced in HTML5:
- Clickjacking made easy: Clickjacking itself is not a new attack. It is an attack that aims to effectively steal mouse button clicks from a victim and to redirect them to a different page the attacker specifies. The attacker’s goal is to make the user click on a concealed link without his knowledge.
- Port Scanning using Cross Origin Requests or WebSockets: With HTML5, a browser can now connect to any IP address or site on (almost) any port. While it is not able to read the response of this connection unless this is specifically allowed by the target site, researchers have already shown that the amount of time the request takes can be used to determine if the target port is open or closed. This allows an attacker to carry out a port scan of a victim’s local network, directly from the browser.
- Social Engineering with Web Notifications: We mentioned web notifications in our post yesterday about the new features introduced by HTML5. These pop-ups which appear outside the browser can actually be fully customized using HTML code. While this allows for some very nice interaction possibilities, it is also a gold mine for social engineering attacks, such as phishing or FAKEAV. Check the picture below to get an idea of what attackers can do with this new feature.
- Tracking victims with Geolocation: Geolocation is one of the most talked about features introduced in HTML5. As a security and privacy concern, a site must always ask a user’s permission before being able to get access to this location information. However, as has been seen in the past with features such as Vista’s user access control, Android’s application permissions, and with invalid HTTPS certificates – security based on user needing to make a decision rarely works out well. Once permission is given, that site can not only learn the victim’s location, but also track that user in real-time as they move around.
Those are just 5 of the new attacks introduced by HTML5, and we covered them at a very high level. Here is the link that will lead you to final mini-blog series HTML5: The Ugly, and the release our paper on HTML5 Attacks.