Context says that design level security issues give potentially malicious web pages low level access to graphics cards that could provide a ‘back door’ for hackers and compromise data stored on internet-connected machines.

Web GL is currently supported on Linux, OSX and Windows operating systems, using Firefox 4, Safari and Google Chrome browsers. In addition to desktops and notebooks, Web GL is also being adopted for use in other devices including smart phones and is rapidly increasing in popularity.

“The risks stem from the fact that most graphics cards and drivers have not been written with security in mind so that the interface (API) they expose assumes that the applications are trusted,” says Michael Jordon, Research and Development Manager at Context. “While this may be true for local applications, the use of Web GL-enabled browser-based applications with certain graphics cards now poses serious threats from breaking the cross domain security principle to denial of service attacks, potentially leading to full exploitation of a user’s machine.”

“We think it is important to raise awareness of this issue before Web GL becomes more widely adopted because this is not an implementation problem, but is down largely to the Web GL specification, which is inherently insecure,” adds Jordon. “In the short term, individual end users or IT departments can avoid potential problems by simply disabling Web GL within their browsers; but the only long term solution is for the developers of WebGL itself to ensure that the specification is designed and tested to prevent these types of risks.”

Web GL 1.0 was officially released in March this year by The Khronos Group, a non-profit consortium of companies including Google, Apple, Intel and Mozilla working to create open standard APIs to display digital interactive media across all platforms and devices. It is essentially a graphics library that extends the functionality of JavaScript to allow it to create interactive 3D graphics within a browser without using plug-ins.