Warnings made of potential flaws in WebGL technology

Serious security flaws have been detected in the new WebGL technology that allows the creation of 3D graphics in a browser.

According to researchers at Context Information Security, design level security issues give potentially malicious web pages low-level access to graphics cards that could provide a backdoor for hackers and compromise data stored on internet-connected machines.

Michael Jordon, research and development manager at Context, said: “The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface they expose assumes that the applications are trusted.

“While this may be true for local applications, the use of WebGL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial-of-service attacks, potentially leading to full exploitation of a user's machine.

“We think it is important to raise awareness of this issue before WebGL becomes more widely adopted because this is not an implementation problem, but is down largely to the WebGL specification, which is inherently insecure.”

He recommended disabling WebGL within browsers initially and for WebGL developers to ensure that the specification is designed and tested to prevent these types of risks in the long term.

WebGL is currently supported on Linux, Mac OS X and Windows operating systems, using Firefox 4, Safari and Google Chrome browsers. It was officially released in March by The Khronos Group, a non-profit consortium of companies including Google, Apple, Intel and Mozilla, working to create open standard APIs to display digital interactive media across all platforms and devices.

Sign up to our newsletters