Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

Karami, Soroush; Ilia, Panagiotis; Polakis, Jason

doi:10.14722/ndss.2021.23104

Cited by 18 publications

(6 citation statements)

References 28 publications

(22 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly, in older browser versions, the attacker could simply read out the computed style to infer whether a certain URL was previously visited [3,43]. More recently, Karami et al [14] and Lee et al [22] showed that the service worker cache could also be exploited to infer whether a user previously visited a specific website.…”

Section: Related Workmentioning

confidence: 99%

Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

2022

View full text Add to dashboard Cite

A web visit typically consists of the browser rendering a dynamically generated response that is specifically tailored to the user. This generation of responses based on the currently authenticated user, whose authentication credentials are automatically included via cookies in all (including cross-site) requests, have led to a multitude of issues. Through cross-site leaks (XS-Leaks), an adversary can try to circumvent the same-origin policy and extract information about responses, which in turn can reveal potentially sensitive information about the user. As research on this class of vulnerabilities only recently gained traction, and the attacks affect many different components of the web platform, the intrinsic characteristics and underlying causes remain largely unexplored.In this paper we present an abstraction of XS-Leaks attacks and introduce an extended formal model that we use to reason about the cause of different leaks and which strategies the various defense mechanisms employ to defend against them. Furthermore, we provide a classification method for current attacks, and, guided by our model, propose a methodology to comprehensively detect new XS-Leak issues, or indicate their absence. Furthermore, we analyze the current defenses and identify gaps that still require further research to provide extensive solutions for sites that rely on cross-site interactions. Finally, we explore how XS-Leak defenses are currently deployed and which challenges website owners are still facing. As a first step towards facilitating the deployment of XS-Leak defenses, we introduce Leakbuster, a dynamic web interface that provides web developers with suggestions based on the insights provided throughout this paper. CCS CONCEPTS• Security and privacy → Browser security; Network security; Formal methods and theory of security.

show abstract

Section: Related Workmentioning

confidence: 99%

Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

2022

View full text Add to dashboard Cite

show abstract

“…They run in the background of a web page and can intercept, modify, and cache resources to create offline web application. Karami et al [32] introduced leak techniques to detect if a service worker is registered for a specific origin. They used iframes as an inclusion method on resources that have previously been cached by a service worker.…”

Section: A2 Detectable Difference: Api Usagementioning

confidence: 99%

XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

Knittel

Mainka

Niemietz

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Cross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource. They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation. Numerous different attack vectors, as well as mitigation strategies, have been proposed, but a clear and systematic understanding of XS-Leak' root causes is still missing.Recently, Sudhodanan et al. gave a first overview of XS-Leak at NDSS 2020. We build on their work by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XS-Leaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XS-Leaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a completely novel methodology to mitigate XS-Leaks.

show abstract

“…Specifically, the authors investigated the potential security vulnerabilities of Service Workers and they demonstrated multiple attack scenarios from cryptojacking to malicious computations (e.g., distributed password cracking), as well as Distributed Denial of Service attacks. Karami et al in [4] studied attacks that aim to exploit Service Workers vulnerabilities to ex-filtrate important privacy information from the user. Specifically, they demonstrated two history-sniffing attacks that exploit the lack of appropriate isolation in these browsers including a non-destructive cache-based version.…”

Section: Related Workmentioning

confidence: 99%

“…In [3], authors present a framework that exploits Service Workers functionality to launch attacks like DDoS, cryptojacking and distributed password cracking. In [4], authors investigate the potential privacy leaks that malicious Service Workers can cause on a victim's browser.…”

Section: Introductionmentioning

confidence: 99%

Measuring the (Over)use of Service Workers for In-Page Push Advertising Purposes

Pantelakis,

Papadopoulos,

Kourtellis

et al. 2021

Preprint

View full text Add to dashboard Cite

Rich offline experience, periodic background sync, push notification functionality, network requests control, improved performance via requests caching are only few of the functionalities provided by the Service Workers API. This new technology, supported by all major browsers, can significantly improve users' experience by providing the publisher with the technical foundations that would normally require a native application. Albeit the capabilities of this new technique and its important role in the ecosystem of Progressive Web Apps (PWAs), it is still unclear what is their actual purpose on the web, and how publishers leverage the provided functionality in their web applications. In this study, we shed light in the real world deployment of Service Workers, by conducting the first large scale analysis of the prevalence of Service Workers in the wild. We see that Service Workers are becoming more and more popular, with the adoption increased by 26% only within the last 5 months. Surprisingly, besides their fruitful capabilities, we see that Service Workers are being mostly used for Push Advertising, in 65.08% of the Service Workers that connect with 3rd parties. We highlight that this is a relatively new way for advertisers to bypass adblockers and render ads on the user's displays natively.

show abstract

Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage

Cited by 18 publications

References 28 publications

Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

Measuring the (Over)use of Service Workers for In-Page Push Advertising Purposes

Contact Info

Product

Resources

About