IT managers told to turn off WebGL due to security concerns

Security researchers are warning web users to turn off WebGL in their browser after identifying serious security issues inherent in the standard which could allow attacks on the GPU, rendering a victim's machine unusable or even putting sensitive data at risk.

Security consultancy Context Information Security said that the web standard, which was designed to enable 3D graphics on any computer with a compatible browser, is dangerous because it allows browser content to almost directly access a PC's graphics hardware.

This graphics hardware has often not been designed with security in mind, so the related API assumes that all applications are trusted when actually they may not be, exposing the machine to attack, said Context senior security consultant James Forshaw in a blog post.

Cyber criminals could launch denial-of-service (DoS) attacks by creating "shader programs", or drawing deliberately complex 3D geometry which causes the GPU hardware to spend a long time rendering.

"It is easy to trivialise client DoS attacks when the only affected component is the browser process. However, in this case the attack can completely prevent a user being able to access their computer, making it considerably more serious," Forshaw added.

"In certain circumstances Context has observed the operating system crashing (i.e. blue screen of death). These crashes can be benign (from an exploitability sense) to ones where the driver code has faulted causing potentially exploitable conditions."

As well as DoS attacks, Context warned of potential cross-domain image theft attacks, which the consultancy has demonstrated as a proof of concept.

WebGL was only released in March but, with Firefox 4 and Google Chrome having the functionality enabled by default, Context warned that it should be switched off.

"Based on this limited research Context does not believe WebGL is really ready for mass use, and recommends that users and corporate IT managers consider disabling WebGL in their web browsers," Forshaw concluded.

"While there is certainly a demand for high-performance 3D content to be made available over the web, the way in which WebGL has been specified insufficiently takes into account the infrastructure required to support it securely."

V3.co.uk contacted Khronos Group, the not-for-profit consortium responsible for WebGL, and was told by a spokesperson that it takes such claims seriously and is currently evaluating them.