WebGL undermines security

Insecurity experts from Context claim that the WebGL standard is a security hole waiting to be exploited.

According to the outfit’s site, WebGL goes against many of the security structures set up by current operating systems and creates new attack possibilities.

For example, to enable rendering of demanding 3D animations, WebGL allows web sites to execute shader code directly on a system’s graphics card.

If a hacker wanted, it could be exploited to take a system out completely. A hacker could get the GPU to render especially complex 3D models or run very processor-intensive shader programs.

This is not the first warning about WebGL which has been issued. Khronos, which is responsible for WebGL, has warned of this problem in the WebGL specification before.

Context claims they have got a machine to blue screen of death (BSOD) by using targeted overloading of the graphics cards.

This could allow an attacker to exploit any security vulnerabilities in the graphics card driver to, for example, inject malicious code onto the system.

Windows 7 and Vista have a mechanism for resetting an overloaded graphics card after about two seconds, the researchers found that this can create a blue screen of death after a certain number of resets.

If a GPU driver contains vulnerabilities, WebGL could allow injection of malicious code onto a system.

Context used WebGL to get around the same-origin policy. WebGL uses HTML5’s canvas to draw objects in the browser.

Context warned that WebGL is simply not yet ready for primetime. They advise users and IT administrators to think seriously about deactivating WebGL support in their browsers. The latest versions of Firefox, Chrome and Safari all support WebGL. Opera has released an Opera 11 preview with WebGL support.