Researcher warns of WebGL security holes

A security consultancy claims to have found "serious security flaws" in the WebGL standard, which could leave those looking to do a bit of browser-based 3D rendering in peril.

"We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem - but is down largely to the WebGL specification - which is inherently insecure," claimed Michael Jordon of Context Information Security, detailing what he believes is a glaring hole in the security of the WebGL standard itself.

Developed by The Khronos Group and officially released in March this year, WebGL provides a standard mechanism for providing web applications with access to the same high-powered 3D rendering resources as desktop applications are offered by the group's OpenGL specification.

It's an important step on the road to the 'cloud-connected' future promised by platforms such as Google's ChromeOS. But Jordon warns that it could lead to some major security issues in the near future.

"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind," Jordon explained to thinq_ earlier today, "so that the interface - API - they expose assumes that the applications are trusted.

"While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross-domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine."

If true, it's a major blow for the standard, and potentially opens an attack vector into all computing platforms for which WebGL is available - including Windows, Mac and Linux as well as smartphone and tablet platforms.

To prevent attack, Jordon believes that administrators should look at disabling WebGL altogether but warns that the specification's creators need to do some more work on the standard to ensure that future use doesn't lead to security concerns. "In the short term, individual end users or IT departments can avoid potential problems by simply disabling WebGL within their browsers," he explained, "but the only long term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks."

A full analysis of the risks, complete with proof-of-concept executions of certain attacks, is available on Context IS's website.

The Khronos Group has yet to respond to our request for comment on Jordon's claims.