research-article

Public Access

The Service Worker Hiding in Your Browser: The Next Web Attack Target?

Authors:

Phakpoom Chinprutthiwong,

GuangLiang Yang,

Yangyong Zhang,

Guofei GuAuthors Info & Claims

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 312 - 323

https://doi.org/10.1145/3471621.3471845

Published: 07 October 2021 Publication History

All formats PDF

Abstract

In recent years, service workers are gaining attention from both web developers and attackers due to the unique features they provide. Recent findings have shown that an attacker can register a malicious service worker to take advantage of the victim such as by turning the victim’s device into a crypto-currency miner. However, the possibility of benign service workers being leveraged is not well studied.

To bridge this gap, we systematically analyze the security of service workers from a new perspective. Specifically, we consider how an attacker can leverage a benign service worker installed in popular websites. To this end, we uncover two attack channels – IndexedDB and Push notification. Through IndexedDB, an attacker can compromise a benign service worker and persistently control the vulnerable website. Likewise, push subscription can also be easily hijacked and used to track a user’s location. To understand the prevalence and security impacts of these attack channels, we conduct a measurement study on popular websites that deploy a service worker. Our results show 200 websites that are vulnerable to XSS attacks are also susceptible to push hijacking. We estimate the number of potential victims, who visit these susceptible websites and could be exposed to location tracking, to be up to 1.75 million users per month. Finally, we discuss potential defenses to prevent this problem from growing further.

References

[1]

[n.d.]. Android Intent. https://developer.android.com/reference/android/content/Intent.

[2]

[n.d.]. AWS Location-based Marketing Report 2018. https://s3.amazonaws.com/factual-content/marketing/downloads/LocationBasedMarketingReport_Factual.pdf.

[3]

[n.d.]. AWS Location-based Marketing Report 2019. https://s3.amazonaws.com/factual-content/marketing/downloads/Factual-2019-Location-Based-Market-Report.pdf.

[4]

[n.d.]. Chromium Push Issue. https://bugs.chromium.org/p/chromium/issues/detail?id=803106.

[5]

[n.d.]. Cookie Store API. https://wicg.github.io/cookie-store/.

[6]

[n.d.]. Geofencing on push notification. https://retailtouchpoints.com/features/executive-viewpoints/geofencing-and-mobile-push-notifications-a-match-made-in-customer-engagement-heaven.

[7]

[n.d.]. Kaspersky Report on Stalkerware. https://www.kaspersky.com/about/press-releases/2019_could-someone-be-spying-on-you-through-your-phone.

[8]

[n.d.]. Location-triggered notification. https://documentation.onesignal.com/docs/location-triggered-event#section-web-setup.

[9]

[n.d.]. OneSignal Report. https://onesignal.com/blog/increase-opt-in-rates-for-push-notifications/.

[10]

[n.d.]. OpenBugBounty. https://openbugbounty.org/.

[11]

[n.d.]. Pushwoosh geo-based notification. https://www.pushwoosh.com/blog/geo-based-push-notifications/.

[12]

[n.d.]. PWA Checklist. https://developers.google.com/web/progressive-web-apps/checklist.

[13]

[n.d.]. Shadow Worker. https://shadow-workers.github.io/.

[14]

[n.d.]. SimilarWeb. https://www.similarweb.com//.

[15]

[n.d.]. Stalkerware. https://www.cyberscoop.com/stalkerware-pandemic-coronavirus-domestic-violence/.

[16]

Phakpoom Chinprutthiwong, Raj Vardhan, GuangLiang Yang, and Guofei Gu. 2020. Security Study of Service Worker Cross-Site Scripting. In Annual Computer Security Applications Conference (Austin, USA) (ACSAC ’20). Association for Computing Machinery, New York, NY, USA, 643–654. https://doi.org/10.1145/3427228.3427290

Digital Library

[17]

Chong Guan, Kun Sun, Zhan Wang, and Wen Tao Zhu. 2016. Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, China, May 30 - June 3, 2016, Xiaofeng Chen, XiaoFeng Wang, and Xinyi Huang (Eds.). ACM, 629–640. https://doi.org/10.1145/2897845.2897901

Digital Library

[18]

Soroush Karami, Panagiotis Ilia, and Jason Polakis. 2021. Awakening the Web’s Sleeper Agents: Misusing Service Workers for Privacy Leakage. In NDSS.

[19]

Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society.

[20]

Jiyeon Lee, Hayeon Kim, Junghwan Park, Insik Shin, and Sooel Son. 2018. Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). ACM, New York, NY, USA, 1731–1746. https://doi.org/10.1145/3243734.3243867

Digital Library

[21]

Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later: Large-Scale Detection of DOM-Based XSS. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (Berlin, Germany) (CCS ’13). Association for Computing Machinery, New York, NY, USA, 1193–1204. https://doi.org/10.1145/2508859.2516703

Digital Library

[22]

William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society.

[23]

Seyed M Mirtaheri, Mustafa Emre Dinçktürk, Salman Hooshmand, Gregor V Bochmann, Guy-Vincent Jourdan, and Iosif Viorel Onut. 2014. A brief history of web crawlers. arXiv preprint arXiv:1405.0749(2014).

[24]

Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: large-scale evaluation of remote javascript inclusions. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012, Ting Yu, George Danezis, and Virgil D. Gligor(Eds.). ACM, 736–747. https://doi.org/10.1145/2382196.2382274

Digital Library

[25]

Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society.

[26]

Sooel Son and Vitaly Shmatikov. 2013. The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013. The Internet Society.

[27]

Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. 2019. Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society.

[28]

Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 971–987.

[29]

Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, and Tatsuya Mori. 2020. Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites. https://doi.org/10.14722/ndss.2020.24140

Cited By

Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Jeong YHur J(2022)A Survey on Vulnerabilities of Service Workers2022 13th International Conference on Information and Communication Technology Convergence (ICTC)10.1109/ICTC55196.2022.9952818(2080-2082)Online publication date: 19-Oct-2022
https://doi.org/10.1109/ICTC55196.2022.9952818
Srinivasa SGeorgoulias DPedersen JVasilomanolakis E(2022)A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00015(82-92)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSPW55150.2022.00015
Show More Cited By

Recommendations

Security Study of Service Worker Cross-Site Scripting.
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

Nowadays, modern websites are utilizing service workers to provide users with app-like functionalities such as offline mode and push notifications. To handle such features, the service worker is equipped with special privileges including HTTP traffic ...
A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Progressive web app (PWA) is a kind of web apps, which is designed to enhance users’ browsing experience by combining the advantages of a web app’s reachability and a native app’s diverse functionalities. PWA sites have a special JavaScript file, ...
Distributed denial of service attack prediction: Challenges, open issues and opportunities
Abstract
Distributed Denial of Service (DDoS) attack is one of the biggest cyber threats. DDoS attacks have evolved in quantity and volume to evade detection and increase damage. Changes during the COVID-19 pandemic have left traditional perimeter-based ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 2021

468 pages

ISBN:9781450390583

DOI:10.1145/3471621

Program Chairs:
Leyla Bilge,
Tudor Dumitras

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

RAID '21

RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 6 - 8, 2021

San Sebastian, Spain

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
1,166
Total Downloads

Downloads (Last 12 months)454
Downloads (Last 6 weeks)61

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Jeong YHur J(2022)A Survey on Vulnerabilities of Service Workers2022 13th International Conference on Information and Communication Technology Convergence (ICTC)10.1109/ICTC55196.2022.9952818(2080-2082)Online publication date: 19-Oct-2022
https://doi.org/10.1109/ICTC55196.2022.9952818
Srinivasa SGeorgoulias DPedersen JVasilomanolakis E(2022)A Bad IDEa: Weaponizing uncontrolled online-IDEs in availability attacks2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW55150.2022.00015(82-92)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSPW55150.2022.00015
Subramani KJueckstock JKapravelos APerdisci R(2022)SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00041(555-571)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00041

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten