Channels ▼
RSS

Web Development

Security Flaws Found In WebGL 1.0


Researchers at London-based data consultancy company Context Information Security say they have uncovered serious security flaws in the new WebGL technology that creates 3D graphics in a browser with the same speed and detail as hardware-accelerated applications.

WebGL 1.0 was officially released in March this year by The Khronos Group — a non-profit consortium of companies including Google, Apple, Intel, and Mozilla. The group's aim was to create open standard APIs to display digital interactive media across all platforms and devices.

WebGL 1.0 is essentially a graphics library that extends the functionality of JavaScript to allow developers to use it to create interactive 3D graphics within a browser without using plug-ins.

Context says that design-level security issues give potentially malicious web pages low-level access to graphics cards that could provide a 'back door' for hackers and compromise data stored on Internet-connected machines.

WebGL is currently supported on Linux, OS X, and Windows operating systems, using Firefox 4, Safari, and Google Chrome browsers. In addition to desktops and notebooks, WebGL is also being adopted for use in other devices, including smart phones, and is rapidly increasing in popularity.

"The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted," says Michael Jordon, R&D manager at Context.

"We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure," adds Jordon. "In the short term, individual end users or IT departments can avoid potential problems by simply disabling WebGL within their browsers; but the only long-term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks."


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 
Dr. Dobb's TV