[adrianmonk]

Breaking out of a container isn't the only security worry.

They have a "Register" button at the top right where you can enter a username and password. If you have shell access to the box (no matter how virtual the box is), there's a good chance you can alter the site's code and capture the passwords people enter. And knowing that, in the real world, people do reuse passwords, this could easily lead to compromising accounts on other sites.

They also have a privacy policy (linked at the bottom) in which they make all kinds of promises about not leaking your personal data. If someone can take over their machine, and they know it, and they don't shut it down, it seems like that would violate the promises made in that privacy policy.

Also, of course, an attacker could alter the site to exploit any vulnerabilities in the users' browsers, so it opens up an attack vector there. Obviously users need to keep browsers patched, but people expect the risk to be lower when visiting legitimate sites.

[anonymousJim12]

Even if the containers were running on the same physical machine as the webapp you'd have to break out of the container your code is in first... If you know of a container breakout exploit then you should definitely publish it!

[baby]

a container is not about security, I don't think docker made any claim that you can't easily escape from a container.

[anonymousJim12]

Right, a container is about isolation.

I didn't mention anything about docker, seeing that containers are a linux kernel feature, but if you know of container escape vulnerabilities in the kernel you should publish them.