Interesting read: WebGL Security Vulnerabilities

  • A number of serious security issues have been identified with the specification and implementations of WebGL.
  • These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.
  • Additionally, there are other dangers with WebGL that put users’ data, privacy and security at risk.
  • These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).
  • Browsers that enable WebGL by default put their users at risk to these issues.
    Read full story

I don’t know much about WebGL, but I found this on another website (

When told that it “gives web pages access to your graphics hardware”, some people worry that WebGL could be a serious security threat. It’s not as dangerous as it might sound, though! While any new extension to JavaScript could potentially open up security holes that could be used by a hacker, there’s nothing particularly risky about WebGL as compared to, say, HTML5’s audio extensions – apart from one thing. With current versions of WebGL, a hacker could potentially write a WebGL page that made your graphics card stop responding to other applications. Under Microsoft Windows Vista and Windows 7, this would be annoying but not disasterous – the operating system would notice that something was wrong and reset the graphics card. But under Apple OS X on a Macintosh, the hacker could potentially freeze the screen of your computer. On Linux it depends on what GPU you have and which drivers, Intel’s drivers are supposed to detect GPU lockups and reset the card (if your kernel is new enough to have this code anyway) for ATI the free drivers do lockup detection for some (older) GPUs, nouveau (free NVIDIA driver) doesn’t currently do hang detection. Basically the Linux situation is, at the moment maybe it’ll reset your GPU, but in the future it’ll get better (as usual for anything in Linux that sucks). (Notes about what would happen on Linux/Maemo/iOS welcome, just edit the page :slight_smile:

It is possible that updates to the browsers will fix this, though for technical reasons it’s a tough problem to solve without severely limiting the kinds of 3D graphics you can do in WebGL.