Enisa: W3C web standards pose 51 security threats

Summary:Enisa, the EU's information security agency, has found 51 flaws in HTML 5 and other upcoming web standards that could let an attacker steal confidential information

Emerging web standards have over 50 security design flaws, many of which could allow an attacker to steal information, the EU's security agency has warned.

During year-long research, the European Network Information Security Agency (Enisa) discovered 51 vulnerabilities in 13 upcoming World Wide Web Consortium (W3C) standards and specifications, the agency said in a report on Monday. Among these were issues with the HTML 5 standard, which is being used by Microsoft, Adobe and others in their latest web browsers.

"They're not rootkit-type vulnerabilities, they're more likely to allow an attacker to control a browser context," Giles Hogben, a network security expert at Enisa, told ZDNet UK. "For example, a dodgy page could get information from a legitimate page."

Using the flaws, an attacker could trick people into installing malware to give the hacker remote control of their system, he added. Many could allow a criminal to steal information using form submission and cross-domain requests, according to Enisa.

Possible attacks

In HTML 5, one of the serious design vulnerabilities opens the door to form-tampering through HTML injection. In one scenario, a person buying goods online enters credit card number and other information into a web form. HTML 5 allows buttons, such as a submit button, to exist outside a web form. With the design flaw, an attacker could trick the buyer into sending the financial information to an unintended destination using a malicious button.

They're not rootkit-type vulnerabiltites, they're more likely to allow an attacker to control a browser context.

– Giles Hogben, Enisa

Another possible attack outlined by Enisa turns a browser security feature — a sandbox — into a method of subverting HTML 5 security. Putting websites into a sandbox prevents them from accessing the system via the browser. However, the attack described by Enisa uses the sandbox to disable protection against clickjacking. In clickjacking, a user is fooled into clicking on a seemingly innocuous web object such as a button, which then reveals confidential information.

The HTML 5 specification allows a hacker to put a malicious page inside a sandboxed iframe, disabling top-level navigation, and leaving the user open to clickjacking.

Another flaw highlighted by Enisa, in the Geoloc-Secure-3 cache API specification, lets a hacker retrieve information about the user's location from the cache. In addition, the specification fails to set an upper limit to how long geolocation data is stored in the cache, leaving people open to attacks that give away their movements.

W3C

The W3C has time to change some of the standards, but some may not be reworked to mitigate the flaws completely, according to Hogben. For example, the consortium is unlikely to fully mitigate the HTML 5 form-filling threat through the standard, he said.

"Some of the flaws we don't expect to be [fully] fixed... especially the one about the forms, as the functionality should be in there for a reason," said Hogben. "We don't expect W3C to take the forms functionality out of the spec."

The standards have been developing for varying amounts of time, and Enisa has submitted its report to W3C in time for W3C working groups to consider before specifying the final standards.

"We have worked with Enisa in preparing this review to ensure that it is relevant and timely to the standards work that is going on. What you are seeing here is the security review process functioning as it should: Independent review identifies possible security issues; the relevant Working Groups then analyse and address the issues raised," the W3C said in a statement.

"The relevant W3C working groups will indeed address these vulnerabilities according to the usual W3C process," it added.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.