Buggy HTML5 Storage implementation fills up your hard drive in minutes
HTML5 localStorage was designed to allow websites and services to store larger amounts of data on a computer system. It is supported by all modern web browsers and used frequently by sites to save larger amounts of data on a system. All browsers have fixed limits in regards to the data that a domain can save on the local system. Google Chrome limits it to 2.5 Megabyte, Firefox and Opera to 5 Megabyte and Internet Explorer to 10.
According to the standard, this limit should be per origin so that the storage is shared between the root domain and all subdomains.
Feross Aboukhadijeh discovered a glitch in the implementation of HTML5 storage limits in Google Chrome, Opera, Internet Explorer and Safari that allowed him to fill up the entire hard drive of the computer system with data in minutes.
The affected browsers do not limit the storage per origin, so that malicious sites that use lots of subdomains can fill the hard drive in these browsers easily.
The only browser that is not affected by this is Mozilla Firefox which has implemented the standard correctly.
The researcher has created a proof of concept video and site that demonstrates the issue.
The hard drive may be filled by up to 1 Gigabyte per every 16 seconds. The speed depends on the hard drive used and the overall performance and activity of the computer at that time.
Note that 32-bit browser versions may crash before the hard drive is filled completely. The demo site features a button that you can use to reclaim the disk space that has been filled by the script running on it.
It is definitely a scary sight to see how fast the disk space fills up with data on the test site.Bug reports have been filed and while it is too early to tell, it is likely that the issue will be resolved eventually.
It needs to be noted that this can't be misused for malicious activities. While it is bad enough that your hard drive gets filled to the brim in minutes, it is usually a matter of seconds to recover the storage space again.
Advertisement
In Firefox, Dom storage can be disabled with dom.storage.enabled set to false from within about:config.
It’s set to true at this time simply because some sites, very few, require it in order to display (e.g. wikimapia.org) but before that I had it always set to false. Perhaps I should reverse to paranoid settings !
Am I missing something ? I’m using Firefox every day, and I have Opera and IE as backup.
I have tested with IE and I don’t have any problem: “Used 3020 MB of disk space!” of tro lo lo lo and still my space is OK. Maybe because I set the IE as:
“Check for newer vers. -> Never”
and disk space to use 199MB
1. In IE 9 no problem
2. In Opera no problem: https://i.minus.com/joWictvrlim0q.png with the difference that in IE I could see all these cats and hear the song :P
Opera > Tools > Preferences > Advanced > Storage
‘Use application cache’ – yes, no, ask me.
I tried it IE9 and waited for it to go up to 2000MB but none of drives had 2GB of data written to them
I assume it isn’t downloading this data, but replicating/generating it locally on the computer?
If I’m not mistaken, the developer of the mega add-on for Firefox claimed that the limitation in Firefox is actually a flaw, or downside and they needed an add-on specifically for Firefox because the other browsers didn’t have the same issue. Oh, and that’s why they’re better. The unlimited offline storage.
Everything comes around.
There is an interesting Firefox add-on related to this article’s topic :
Shim Storage ( https://addons.mozilla.org/en-US/firefox/addon/shim-storage/ )
Quote from the developer :
“If your disabling localStorage or sessionStorage many sites stops working. Not cause they actually need the database, but cause they expect it to be there.
This extension allows you to define a list of domains where a shim should be defined so the page will actually work. No data will be stored anywhere outside the page.
NOTE: This extension has no effect if you don’t set dom.storage.enabled to false.”
Works perfectly well here.