"FillDisk.com" free space will decrease freely just by accessing

When accessing with browsers other than Firefox, IE · Chrome · Safari (including iOS version including iPhone / iPad) · Opera etc, use the mechanism of HTML5 "localStorage" to automatically fill the free space by accessing The terrifying site to go is "FillDisk.com"is.

Fill up your hard disk with just a single click - using HTML5 localStorage!(The music will be ringing)
http://www.filldisk.com/

The following movie recorded the state that the above address was accessed by Chrome, and the space decreasing rapidly. For Chrome it's a 32-bit browser, so before the disk gets fullCrash and end automaticallyI will do.

FillDisk HTML5 exploit - YouTube


So, when I actually accessed it from Google Chrome on Windows 7 in hand, I found that the amount of free space has been steadily decreasing and crash when 965 MB is filled.


Restart and click "Restore" in the upper right


Then the landfill work continued, and this time it crashed at 1610 MB


Furthermore, the next time it crashed at 2010 MB. To delete the landfilled capacity, click the "Stop the madness!" Button and it will be deleted more and more.


According to the following site which explains the mechanism, in the case of the MacBook Pro Retina display model, 1 GB of free space will be lost every 16 seconds.

Introducing the HTML5 Hard Disk Filler API >> Feross.org
http://feross.org/fill-disk/


Why is this like this, the file size limit is set for each domain in the local storage that can be saved with 2.5 MB for Google Chrome, 5 MB for Firefox and Opera, 10 MB for IE 10, etc. However, it is because you can save as much indefinitely by using subdomains. For example, by automatically loading in order such as 1. fillillisk.com · 2.filldisk.com · 3.filldisk.com ......, it becomes possible to perform an attack which continues filling until the free space of the disk runs out That's why.

Although the experiment site "FillDisk.com" is a kind design that informs the viewer that it is accessing by enormously sounding BGM, if it is secretly embedded in the site, I do not know If you stepped on via a shortened URL etc. in the middle of that attack page, during the opening of the attack page, the free space will become zero and continue filling up until the crash It is possible state.

The source code can be downloaded from the following site.

Feross / filldisk.js · GitHub
https://github.com/feross/filldisk.js


Meanwhile, Firefox has already taken measures to prevent such attacks, and does not work even when accessing the site. It is a form that has been proved oddly that it is certainly quite careful about "safety" in the middle of the tagline "fast, safe and customizable free browser", and for each other browser already This issue has been reported and should have been fixed at the next update.