This post is the second of a 3-part series of blog entries on HTML5. You can also check the first part: HTML – The Good.
Yesterday, we started the first of a three-part series investigating the new HTML5 standard. We started this by looking at some of the new features which are going to improve how we can interact with the Web.
In today’s post, we will look at how some of the features of HTML5 can be misused by attackers. This post is not meant to be an exhaustive list, but if you are interested in more details we will be releasing an in-depth paper on HTML5 Attacks tomorrow.
Below, in no particular order, are 5 new attacks made possible by features introduced in HTML5:
- Clickjacking made easy: Clickjacking itself is not a new attack. It is an attack that aims to effectively steal mouse button clicks from a victim and to redirect them to a different page the attacker specifies. The attacker’s goal is to make the user click on a concealed link without his knowledge.
- Port Scanning using Cross Origin Requests or WebSockets: With HTML5, a browser can now connect to any IP address or site on (almost) any port. While it is not able to read the response of this connection unless this is specifically allowed by the target site, researchers have already shown that the amount of time the request takes can be used to determine if the target port is open or closed. This allows an attacker to carry out a port scan of a victim’s local network, directly from the browser.
- Social Engineering with Web Notifications: We mentioned web notifications in our post yesterday about the new features introduced by HTML5. These pop-ups which appear outside the browser can actually be fully customized using HTML code. While this allows for some very nice interaction possibilities, it is also a gold mine for social engineering attacks, such as phishing or FAKEAV. Check the picture below to get an idea of what attackers can do with this new feature.
- Tracking victims with Geolocation: Geolocation is one of the most talked about features introduced in HTML5. As a security and privacy concern, a site must always ask a user’s permission before being able to get access to this location information. However, as has been seen in the past with features such as Vista’s user access control, Android’s application permissions, and with invalid HTTPS certificates – security based on user needing to make a decision rarely works out well. Once permission is given, that site can not only learn the victim’s location, but also track that user in real-time as they move around.
Those are just 5 of the new attacks introduced by HTML5, and we covered them at a very high level. Here is the link that will lead you to final mini-blog series HTML5: The Ugly, and the release our paper on HTML5 Attacks.
HTML5 is the fifth revision of the language that makes the web work, and this Wednesday we will be releasing a paper detailing some of the new attacks that are made possible by this technology. Over the next three days we’ll be looking at the Good, the Bad and the downright Ugly of what HTML5 adds to the web, and to the arsenal of cybercriminals.
First up – HTML5 (and its associated APIs) is not an upgrade like you may be familiar with when it comes to software – it’s actually a whole lot of individual features, each with differing browser support. There is a good Wikipedia article that shows which features are currently implemented. For me there are very many fantastic features in HTML5, but five of them really stand out – and I think these will really change how we interact with the web.
- New graphics libraries: HTML5 introduces the Canvas and WebGL libraries which allow for more feature-rich websites. There are some great demos up on this page . In particular, I think the WebGL library is a game changer – just look at how well the graphics work in this port of the famous Quake II game – now entirely coded in HTML5. For me, that opens up a whole new generation of how games will be played in the future.
- Easier multimedia content: If you have ever designed a site that included audio and video content you will know that it has always felt a bit clunky, and will normally require a bunch of <object> and tags along with some flash to get things to work. Not anymore however – HTML5 introduces the very easy to use <video> and <audio> tags, making it simpler than ever to include multimedia content on your site. Support is so good that YouTube is already in the process of moving over to using HTML5
- Geolocation: People are accessing the Internet less and less from desktop machines, and even laptops. Today, a lot of people surf the web from handheld mobile devices such as smart-phones and tablets. The mobile nature of today’s web browsing, combined with the new Geolocation feature in HTML5 opens up a wealth of new possibilities. Knowing exactly where someone is when they access your site can help you personalize content for them to match their local surroundings. Imagine a hiking program whose default homepage allows you to plan trips if it sees you are accessing it from a built up area, but defaults to the interactive maps page if you are out in the countryside.
- Drag & Drop: This one is really subtle, but very important – Drag & Drop allows you to drag content from your browser directly onto your computer and from your computer to the browser. Doesn’t sound like a game changer really, does it? Well, check out this demo and then think what this means for a site likeFacebook. Think about when you arrive back from your holidays and can simply select all of your holiday pics, drop them into the browser and instantly share them with your friends on the social network. Now that’s how I want to interact with the web!
- Web Notifications: Web Notifications are small pop-ups that appear outside of the browser windows itself, allowing users to interact with a site even if they are not currently looking at it. Currently these only work with the Google Chrome browser, and you can check out a demo of them. These notifications are perfect for mail alerts, social networks updates, Twitter, and a wide variety of other services. Along with Drag & Drop this feature really blurs the line between offline and online applications.
Those are just a taste of the fantastic new possibilities of HTML5, but there are many other demos out there on the web which are definitely worth a look. However just like powerful abilities in superhero movies, these features can be a double-edged sword.
The second part of the blog series, we will look at the Bad side of HTML5. HTML5 – THE BAD and the third part HTML5 – THE UGLY side of HTML5.