HTML5 Tricks Hijack Browsers To Crack Passwords, Spew Spam – Andy Greenberg – The Firewall – Forbes

HTML5 Tricks Hijack Browsers To Crack Passwords, Spew Spam – Andy Greenberg – The Firewall – Forbes.

As usual, new technology spawns new threats. HTML5 will be no different.

HTML5 allows a website to run javascript processes that request data from another site, and to launch invisible scripts “in the background” on a user’s machine for long periods of time, says Kuppan. “With HTML4, after twenty seconds the browser would freeze,” he says.

And this:

Once the hacker has control of a user’s browser, it can be used to do all the same sorts of unpleasant things that botnets of malware-hijacked computers generally do: By repeatedly requesting data from another site–Kuppan says javascript can make around 10,000 requests a minute–it can overwhelm a target’s server and knock it offline. Or by creating and filling the sort of entry field typically used on corporate websites for leaving feedback, it can send mass emails to a list of addresses.

And this:

To keep users on a page longer while his scripts run, Kuppan suggests a trick that involves a clever form of “clickjacking.” Using javascript, an invisible link can be inserted wherever a user clicks on a page to open another tab with the desired destination. Since most users leave unused tabs unattended, a script can run on the original tab, potentially for hours, without the user’s knowledge.

We will need a tool which gives users better visibility into what’s going on their workstations and the ability to either automatically take actions against anomalous behavior or give users options to take actions.

HTML5 security concerns

Via ThreatPost: Security a Concern as HTML5 Gains Traction

This article and an earlier blog post from Veracode entitled, HTML5 Security in a Nutshell, itemize some of the new HTML5 features which can be seen as new threat vectors including (1) Local database and session storage, (2) sandboxing, and (3) postMessage().

Every new technology increase risks, at the very least, because people misunderstand how to use it and bad actors know this. Therefore as a new technology, in this case, HTML5 gains traction, cyber criminals are drawn to it as well. We’ve seen the same thing happen with Web 2.0 applications, social networking, and virtualization.

If the major security vendors don’t respond to the new threats, you can be sure that new security vendors will.