A few short notes on the security implications of the new HTML5 browser features in Firefox (and probably Opera).
The short version is that it enables an offline, cross-domain web worm.
Imagine this: You go to a page is infected via XSS with the web worm. The worm stores itself in a cross-domain portion of your browser storage, then scans your history for known vulnerable sites and spreads itself to them. Whenever you hit another infected website, the worm checks whether you have the most recent version in your browser storage and updates itself. It could maintain there a comprehensive list of all the sites it infected and resubmit its new version to those it previously infected. It could even maintain a formalised “vulnerability definitions” file, analogous to the virus definitions file the computer security company I work for maintains.
In short: a proper, honest to god, multi-purpose web worm.
This problem is compounded by how widespread XSS and CSRF flaws are and by the general laziness of the web population (an up-to-date wordpress blog is the exception, not the rule, when it comes to self-maintained weblogs).
The only thing missing is financial motivation. The low-hanging fruit, money-wise, like banking websites are likely to have slightly higher security standards than a single person wordpress blog. The possible financial incentives that come to mind are: Black Hat SEO. Password/username harvesting in case the user uses the same password on more lucrative sites. A compromised wordpress blog can also lead to a compromised server which has a wide variety of black hat use. The distribution of other malware/exploits/viruses/trojans.
That’s just off the top of my head.
Update: Of course, I feel like a moron for missing out on one of the more obvious motivations for a universal xss worm: The chances of a user placing valuable information and work on a web site increases proportionally with that users reliance on web applications to do that work. In addition, the more powerful the web app is, the worse the damage it can do once compromised.
