…And Why HTML5 May Be A Hacker’s Dream

Andy Greenberg over at Forbes’ “Firewall” has this curtain-lifter from next week’s Black Hat conference on Internet security.   Greenberg reports that one of next week’s presenters, security researcher (a.k.a. “reformed hacker”) Lavakumar Kuppan will demonstrate HTML5’s enhancements will also give malicious hackers to access other users browsers for nearly any nefarious purposes.

How bad could this be?  Maybe as bad as giving a thief the town’s master key.  That, after the jump.Although it’s still being fully developed, much is already known about the structure of the HTML5 revamp.  Most people will instantly see it’s greater flexibility – audio and video players won’t always require third-party plug-ins, drag-and-drop features will be enhanced, and overall ease and transparency of use will go up.

However, all that flexibility may come at a cost.  Greenberg writes:

“HTML5 allows a website to run javascript processes that request data from another site, and to launch invisible scripts “in the background” on a user’s machine for long periods of time, says Kuppan. “With HTML4, after twenty seconds the browser would freeze,” he says.

That means a user who’s tricked into visiting a malicious site can have his browser borrowed to perform a criminal’s bidding for hours at a time–as long as the user leaves the page open. Though few sites use HTML5 today, any browser that’s HTML5 compatible–the latest versions of Firefox, Chrome, and Safari, for instance, but not Internet Explorer–can be hijacked by Kuppan’s tricks.”

No doubt these concerns were already known to HTML5’s developers.  Even if they weren’t, they are now, and hopefully will be addressed.  But what other holes may exist in the web’s latest standard?