X
Business

HTML5's WebGL is a security risk, says Context (Updated)

Context Information Security says it has uncovered "serious security flaws in the new WebGL technology that creates 3D graphics in a browser". The design flaws give "potentially malicious web pages low level access to graphics cards that could provide a ‘back door’ for hackers and compromise data stored on internet-connected machines".
Written by Jack Schofield, Contributor

Context Information Security says it has uncovered "serious security flaws in the new WebGL technology that creates 3D graphics in a browser". The design flaws give "potentially malicious web pages low level access to graphics cards that could provide a ‘back door’ for hackers and compromise data stored on internet-connected machines". Since the WebGL specification is built on top of the HTML 5 canvas element, any insecurities could develop into widespread threats.

Context has described its criticisms, and provided brief proof-of-concept examples, in a comprehensive blog post, WebGL - A New Dimension for Browser Exploitation.

Michael Jordon, Context's research and development manager, said in a statement:

"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted. While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user's machine. We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure."

Context recommends that users and corporate IT managers "consider disabling WebGL in their web browsers".

The Khronos Group's specification of WebGL includes a Security section. This says: "the WebGL implementation must ensure that the shader cannot access either out of bounds or uninitialized data". It also warns against denial of service (DoS) attacks, saying:

"It is possible to create, either intentionally or unintentionally, combinations of shaders and geometry that take an undesirably long time to render. This issue is analogous to that of long-running scripts, for which user agents already have safeguards. However, long-running draw calls can cause loss of interactivity for the entire window system, not just the user agent. "In the general case it is not possible to impose limits on the structure of incoming shaders to guard against this problem. Experimentation has shown that even very strict structural limits are insufficient to prevent long rendering times, and such limits would prevent shader authors from implementing common algorithms."

It's not unusual for new technologies to have security flaws. However, not many new technologies are likely to see such widespread adoption as WebGL.

Update: On its website, Khronos Group comments on WebGL Security, saying it "has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality". It adds:

"The ability to incorporate cross-domain images into WebGL scenes provides great utility to developers, but the WebGL working group is considering requiring Cross Origin Resource Sharing (CORS) opt-in or other mechanisms to prevent abuse of this capability."

@jackschofield

Editorial standards