Chemical Safety Incidents
HTML5: Browser Botnets Lurking
Monday, April 30, 2012 @ 03:04 PM gHale
HTML5, the revamped markup language, could show great benefits, but could also be the beginning of a new batch of browser-based botnets and other attacks.
The new features in HTML5, from WebSockets to cross-origin requests, could scare security professionals and turn browsers like Chrome and Firefox into complete cybercrime toolkits, said Robert McArdle, a senior threat researcher at Trend Micro during a talk at the B-Sides Conference in London last week.
Creating botnets by luring punters into visiting a malicious web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers a number of advantages to hackers.
Additional dangers involve social engineering using HTML5′s customizable pop-ups that appear outside the browser to fool users into believing the wording on an alert box. More convincing phishing attacks can occur using the technique, McArdle said.
“The good stuff in HTML5 outweighs the bad,” he said. “We haven’t seen the bad guys doing anything bad with HTML5 but nonetheless it’s good to think ahead and develop defenses.”
Web developers should make sure their sites are not vulnerable to Cross-Origin Resource sharing, cross-domain messaging or local storage attacks, McArdle said. Utilities such as NoScript can also help punters.
More details on HTML5 attack scenarios and possible defenses are at html5security.org, a website devoted to the topic.