Skip to main content

HTML5 browser exploit could let pranksters fill up your hard drive

HTML5 browser exploit could let pranksters fill up your hard drive

Share this story

WD hard drive 500GB stock 640
WD hard drive 500GB stock 640

Did you know a webpage could fill your hard drive with junk data, unbeknownst to you? It's true: FillDisk.com can do just that, and until web browsers fix the problem, more malicious websites might be able to do it too. Web developer Feross Aboukhadijeh set up FillDisk as a proof of concept to demonstrate a nasty exploit in HTML5: with a simple trick, the Web Storage standard allows any website to place large amounts of data on your drive. It's not technically a hack and won't allow attackers to access your computer, but running out of space still has the potential to be annoying.

Interestingly, the W3C standards body actually anticipated this particular trick, suggesting that web browsers limit how much space is available to a website, or prompt the user before allowing a site to monopolize more than five megabytes at a time. However, while Mozilla Firefox behaves well, the author says Google Chrome, Microsoft Internet Explorer, Apple Safari, and Opera have no storage limit to keep pranksters from misbehaving. We tried FillDisk.com for ourselves on a Windows 8 machine with updated browsers, and sure enough, our drive started filling immediately. Chrome, however, didn't last long before crashing completely, an issue that the team is now aware of. Let's hope these browser vendors make haste in patching the exploit.