Is WebGL a Security Problem?

Pete Prestipino
by Pete Prestipino 11 May, 2011
Is WebGL a Security Problem?


Researchers from Context Information Security have warned that the WebGL standard undermines the security concept practiced by current operating system versions and offers up new attack surfaces. WebGL extends the capability of the JavaScript programming language to allow it to generate interactive 3D graphics within compatible web browsers without requiring plugins. 

WebGL, managed by the non-profit Khronos Group, is a context of the canvas HTML element that provides a 3D computer graphics API without the use of plug-ins.[2] The specification was released as version 1.0 on March 3, 2011.

The researchers report that they have been able to elicit a blue screen of death(BSOD) by using targeted overloading of the graphics cards. According to the report, this could allow an attacker to exploit any security vulnerabilities in the graphics card driver to, for example, inject malicious code onto the system. Although Windows 7 and Vista have a mechanism for resetting an overloaded graphics card after about two seconds, the researchers found that this too results in a blue screen of death after a certain number of resets. What this means is that if a graphics card driver contains vulnerabilities, WebGL could allow injection of malicious code onto a system.

The researchers have released an online demo (https://www.contextis.com/resources/blog/webgl/poc/index.html) to illustrate the problem. In the researchers' opinion, WebGL is simply not yet ready for primetime.

The Khronos group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality.

Pete Prestipino
Pete Prestipino
Digital marketing executive with proven experience in all aspects of search engine optimization (SEO), performance-based advertising, consumer-generated/social media, email marketing, lead generation, Web design, usability, and analytics. - 20-year Internet marketing veteran, currently serving as the Digital Marketing Campaign Manager at Antenna Group (formerly Chicago Digital). - Former Editor-In-Chief of Website Magazine, and a regular speaker on Web technology digital marketing strategy - Author of several books on digital marketing Including Web 360: The Fundamentals of Web Success; Affiliate 360: The Fundamentals of Performance Marketing; Domains 360: The Fundamentals of Buying & Selling Domain Names, and SEO 360: The Fundamentals of Search Engine Optimization.