Video Essentials

Is HTML5 Video a Security Threat?


While HTML5 is going to play a major role in shaping the future of online video, some people are worrying that its ability to play video without plug-ins could put browsers at risk.

PandaLabs, the anti-malware lab of security software company Panda Security, recently issued a list of ten security predictions for 2011. Number nine on the list was the potential threat from HTML5.

“HTML5 is the perfect target for many types of criminals and could eventually replace Flash. It can be run by browsers without any plug-ins, making it even more attractive to find a security hole that can be exploited to attack users regardless of which browser they use. PandaLabs expects to see the first attacks on HTML5 in the coming months,” the prediction said.

Speaking from the company’s headquarters in Spain, Luis Corrons, the head of PandaLabs, said that while HTML5 isn’t a risk in itself, it’s likely to become a popular target of cybercriminals looking for a weakness to exploit.

While Flash videos require a plug-in to play, HTML5 can play videos natively, making it a tempting target. If criminals do find a security hole, they could theoretically take over any user’s browser. The more possible victims, the more money a criminal stands to make.

A likely scenario is that criminals could create a site that copies the look of a popular video destination, such as YouTube, and send out disguised e-mails inviting readers to click to see a video. A piece of malware could then infect the user’s computer while they watch the video.

The point of PandaLabs’ predictions wasn’t to scare readers, but to make people aware of how changing technologies can lead to new vulnerabilities. The best safeguard is to use security software that takes a proactive approach to possible vulnerabilities rather than simply reacting to new attacks, and to keep that software up-to-date.

While he says it’s difficult working with threats that haven’t even occurred yet, Corrons says that it’s the job of security software to block suspicious behaviors and anticipate new threats. While no security company will anticipate every threat, that’s the best way to combat new risks. In the case of HTML5 video, that means researching how Flash Video has been exploited by criminals in the past and seeing if that might lead to ways to protect browsers in the future.

“HTML5 is universal for all browsers, so it’s attractive to criminals. They’ll try to open any security hole in order to infect the users,” says Corrons.




Discussion

Comments for “Is HTML5 Video a Security Threat?”

  1. I find this very interesting, but I’m skeptical that this isn’t just a ‘scare tactic’… how exactly is native (HTML5) video playback going to open up security holes that aren’t there with video playback in Flash? I read Panda’s article and they didn’t get any more specific. I’m sure they don’t want to give anyone ideas, but the lack of a concrete threat makes me think they are just using the buzzword HTML5 to get some attention to their list. Would definitely love to hear more about this…

    Posted by Lisa Larson-Kelley | December 21, 2010, 12:08 pm

Post a comment