WebGL security holes highlighted

Context Information Security has published concerns about WebGL on its blog. The technology is increasingly used for 3D graphics online, but Context Information Security says a vulnerability in the Firefox browser “made it possible for malicious web pages to capture any screenshot from a target PC”. The company claims that none of the current implementations comply with WebGL conformance standards, raising serious questions for Khronos, the consortium that drew up the WebGL specification and conformance tests.

The security firm says its original investigations discovered “design-level security issues that provide a ‘back-door’ to low-level parts of the operating system via some graphics cards, which were never designed to defend against this type of threat” and adds that neither Firefox nor Chrome passes the 144 Khronos conformance tests for WebGL, including many related to security.

“While Mozilla has taken steps to mitigate the original vulnerabilities and will fix this latest threat in the new version of its browser, scheduled for release on 21 June, we believe this is the tip of the iceberg for the difficult adoption of this immature technology, leaving users vulnerable,” says Michael Jordon, research and development manager at Context.

He admits it would be unreasonable to expect full conformance to the complete specification of any new standard, but suggests “some areas of WebGL need to be carefully implemented to prevent security issues arising”.

Jordon recommends disabling WebGL until security vulnerabilities are addressed, and suggests investigating the Firefox NoScript plug-in that enables you to selectively disable WebGL.