HTML5 localStorage was designed to allow websites and services to store larger amounts of data on a computer system. It is supported by all modern web browsers and used frequently by sites to save larger amounts of data on a system. All browsers have fixed limits in regards to the data that a domain can save on the local system. Google Chrome limits it to 2.5 Megabyte, Firefox and Opera to 5 Megabyte and Internet Explorer to 10.
According to the standard, this limit should be per origin so that the storage is shared between the root domain and all subdomains.
Feross Aboukhadijeh discovered a glitch in the implementation of HTML5 storage limits in Google Chrome, Opera, Internet Explorer and Safari that allowed him to fill up the entire hard drive of the computer system with data in minutes.
The affected browsers do not limit the storage per origin, so that malicious sites that use lots of subdomains can fill the hard drive in these browsers easily.
The only browser that is not affected by this is Mozilla Firefox which has implemented the standard correctly.
The researcher has created a proof of concept video and site that demonstrates the issue.
The hard drive may be filled by up to 1 Gigabyte per every 16 seconds. The speed depends on the hard drive used and the overall performance and activity of the computer at that time.
Note that 32-bit browser versions may crash before the hard drive is filled completely. The demo site features a button that you can use to reclaim the disk space that has been filled by the script running on it.
It is definitely a scary sight to see how fast the disk space fills up with data on the test site.Bug reports have been filed and while it is too early to tell, it is likely that the issue will be resolved eventually.
It needs to be noted that this can't be misused for malicious activities. While it is bad enough that your hard drive gets filled to the brim in minutes, it is usually a matter of seconds to recover the storage space again.Advertisement
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.