Web-developer Feross Abukadizhey (Feross Aboukhadijeh) presented a simple in execution exploit that allows the site secretly download to users’ computers gigabytes of garbage data.
The developer said that the exploit called FillDisk.com loads the data on the hard drive without the cooperation of the victim by the user and works with browsers Google Chrome, Microsoft Internet Explorer and Apple Safari.
FillDisk.com uses standard web-store, including the protocol specification HTML5. These standards allow developers to make use of the site easier, because the preservation of data is carried directly to the hard drive visitor. This feature can be useful if the user has to fill out long forms. In that case, if the browser is canceled before the form is completely filled, the data that was previously entered will be available after the next visit.
Standards developers, a special warning that the creators of sites should not abuse this function and limit the amount of data that can be recorded on a user’s hard drive.
Note that browsers Chrome, IE and Safari limit this number, however, this restriction is in subdomains, and not on the primary domain to which they belong. Exploit FillDisk.com create subdomains, for example, 1.filldisk.com or 2.filldisk.com and loads on each of them the maximum-tolerated amounts of data.
Among all the tested browsers developer, can only block the download on Firefox.
According to the creator, the exploit is designed so that it cannot compromise user data or upload any malware. However, the “bombing” of data can cause tripping of some versions of the browser Google Chrome.