The researchers argue that because any website can create a cache on the user's computer and, in some browsers, do so without that user's explicit permission, an attacker could set up a fake log-in page to a site such as a social networking or e-commerce site. Such a fake page could then be used to steal the user's credentials.
Other researchers were divided about the value of this finding.
"It's an interesting twist but it does not seem to offer network attackers any additional advantage beyond what they can already achieve," wrote Chris Evans on the Full Disclosure mailing list. Evans is the creator of the Very Secure File Transfer Protocol (vsftp) software.
Dan Kaminsky, chief scientist of the security research firm Recursion Ventures, agreed that this work is a continuation of attacks developed before HTML5. "Browsers don't just request content, render it, and throw it away. They also store it for later use ... Lavakumar is observing that the next-generation caching technologies suffer this same trait," he said, in an email interview.
Critics agreed that this attack would rely on a site not using Secure Sockets Layer (SSL) to encrypt data between the browser and Web page server, which is commonly practiced. But even if this work did not unearth a new type of vulnerability, it does show that an old vulnerability can be reused in this new environment.
Johnson says that, with HTML5, many of the new features constitute threats on their own, due to how they increase the number of ways an attacker could harness the user's browser to do harm of some sort.
"For years security has focused on vulnerabilities -- buffer overflows, SQL injection attacks. We patch them, we fix them, we monitor them," Johnson said. But in HTML5's case, it is often the features themselves "that can be used to attack to us," he said.
As an example, Johnson points to Google's Gmail, which is an early user of HTML5's local storage capabilities. Before HTML5, an attacker may have had to steal cookies off a machine and decode them to get the password for an online email service. Now, the attacker needs only to gain entry into the user's browser, where Gmail stories a copy of the inbox.
"These feature sets are scary," he said. "If I can find a flaw in your Web application and inject HTML5 code, I can modify your site and hide things I don't want you to see."
With local storage, an attacker can read data from your browser or insert other data there without your knowledge. With geolocation, an attacker can determine your location without your knowledge. With the new version of Cascading Style Sheets (CSS), an attacker can control what elements of a CSS-enhanced page you can see. The HTML5 WebSocket supplies a network communication stack to the browser, which could be misused for surreptitious backdoor communications.
This is not to say that the browser makers are oblivious to this issue. Even as they work to add in the support for the new standards, they are looking at ways to prevent their misuse. At the Usenix symposium, Stamm noted some of the techniques that the Firefox team is exploring to mitigate damage that could be done with these new technologies.
For instance, they are working on an alternative plug-in platform, called JetPack, that would keep tighter control of what actions a plug-in could execute. "If we have complete control of the [application programming interface], we're able to say, 'This add-on is requesting access to Paypal.com, would you allow it?'" Stamm said.
JetPack may also use a declarative security model, in which the plug-in must declare to the browser each action it intends to undertake. The browser then would monitor the plug-in to ensure it stays within these parameters.
Still, whether browser makers can do enough to secure HTML5 remains to be seen, critics contend.
"The enterprise has to start evaluating whether it is worth these features to roll out the new browsers," Johnson said. "This is one of the few times you may hear 'You know, maybe [Internet Explorer]6 was better.'"