Quantcast
Channel: Hacker News
Viewing all articles
Browse latest Browse all 25817

ServiceWorker's Link leads to botnet-like persistent JavaScript worker

$
0
0
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Steps to reproduce the problem:
1. visit https://jsfiddle.net/Lsd6vgkb/3/
2. close the tab 
3. few mins later open Devtools on any other page and see under Application/ServiceWorkers/Show All a truefactor.io service worker in Running state forever

What is the expected behavior?

What went wrong?
Normally we have small attack window (few secs to few mins) to exploit the user visiting the website. ServiceWorkers greatly changed that. 

There are numerous ways such as background sync/Push API that can wake up the worker and execute JS code in context of the worker whenever attacker wants that. It somewhat similar to a classic botnet with lower privileges though. 

Let's start with the most dangerous and silent exploit I know so far. There are other ways, we can talk about them too if you're interested. 

We need to insert our https://truefactor.io/cat.gif picture on any https:// website such as blog or news platform, every Chrome 54+ will fetch the image, parse Link header, verify Origin-Trial token (which is easy to get)
 and run our JS code. It's already bad on its own - how come an external image runs an external JS code? 

A minute later, just before the worker is terminated, it fetches itself, which recursively creates another worker that will run for another minute. It can grab a new job from the server such as cryptocurrency mining operation/minor DDoS/CSRF via fetch with {credentials:true} or other tasks. 

Did this work before? No 

Does this work in other browsers? N/A

Chrome version: 54.0.2840.71  Channel: n/a
OS Version: OS X 10.12.1
Flash Version: Shockwave Flash 23.0 r0

Hide this as a security issue, maybe? Not sure what are your thoughts.

Viewing all articles
Browse latest Browse all 25817

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>