HTML5 Opens Door to Broader Attacks & New Website Security Threats

December 27, 2012

Browsers have long been one of the primary vectors for online threats — and HTML5 elevates that danger. HTML5 is the platform of choice to run applications, and as browsers continue to include more HTML5 features and greater compatibility, attackers will also continue to look for security holes.

A few of the factors shaping this trend include:

  • The increase in HTML5-based applications as web creators take advantage of freedom from app stores and improved cross-browser and cross-device compatibility.
  • The additional functionality of HTML5 creates a larger attack surface. One example is the use of powerful JavaScript APIs that allow browsers to communicate directly with the operating system.
  • New attack vectors. For example, Web Graphics Library, or WebGL, provides 3D rendering. Prior to WebGL, there was a layer of technology between the untrusted data on the Internet and the operating system. WebGL browsers, however, expose the graphics driver stack and hardware, significantly increasing the attack vectors. Researchers have already demonstrated graphics memory theft and even denial-of-service attacks using all popular browsers supporting WebGL and popular graphics driver stack providers.
  • A lack of policy or access controls on the network. HTML5 increases the attack surface for every user because its features do not require these extensive controls, allowing criminals to poke around a user’s local network.