MarioNET attack lets hackers control your browser, even after you leave the attack page

Martin Brinkmann
Feb 26, 2019
Updated • Mar 1, 2019
Internet, Security

The rise of web technologies opened up new possibilities on the Internet. Browsers have become more powerful as new APIs landed and support for certain features was introduced.

A new attack, called MarioNET by the researchers that discovered it, highlights that APIs may also be abused if no proper safeguards are in place (which is the case right now).

The attack relies on existing HTML5 APIs that all modern web browsers support. It does not require the installation of software or user interaction, and persists even after the user leaves the web page the attack originated on.

The attacker may abuse the resources of the computer for all kinds of activities including DDOS attacks, crypto-mining operations, or password cracking.

Update: You find a critical voice that argues against the scenario described in the research paper here. The main point of criticism is that the attack method relies on a feature called PeriodicSync and that it is not part of any specification at this point. End

MarioNET uses Service Workers, scripts that run separate from visited web pages and in the background, in the attack. The main idea behind Service Workers is to move certain computations to a separate thread so that it is not blocking or slowing down the app or web page the user interacts with.

The lifecycle of Service Workers is completely independent from the page they were created on. Service Workers don't have access to the DOM (Document Object Model) of the web page and parent page variables and functions.

The use of Service Workers isolates the system from the originating website, gives persistent control to the attacker, and makes it difficult for users to detect what is going on.

In particular, our system fulfills three important objectives:

(i) isolation from the visited website, allowing fine-grained control of the utilized resources; (ii) persistence, by continuing its operation uninterruptedly on the background even after closing the parent tab; and (iii) evasiveness, avoiding detection by browser extensions that try to monitor the webpage’s activity or outgoing communication.

MarioNET registers a service worker when a user visits a webpage attacks can originate on. Possibilities to spread the attack include creating malicious websites, hacking sites, or using advertisements.

Browsers provide little information to users about Service Workers; in fact, browsers don't highlight the creation of new service workers on sites to users. There is no alert, no prompt, and not even an option to display a prompt to ask for user permission when service workers are created.

The only request that reveals the existence of the service worker is the initial GET request at the time of the user’s first website visit, when the service worker gets initially registered. Although during that GET request a monitoring extension can observe the contents of the service worker, it will still not observe any suspicious code—the code that will carry out the malicious tasks is delivered to the Servant only after its first communication with the Puppeteer, and this  communication is hidden from browser extensions

What makes MarioNET particularly troubling is that it continues to run in the background after the user closes the website the attack originated on. The control ends when the web browser is closed; the researchers found a way to overcome this as well, but it requires user interaction as it uses the Web Push API to do so.


service workers disable

Most modern browsers include options to display existing Service Workers. Firefox users may load about:serviceworkers or about:debugging#workers and Chrome users may load chrome://serviceworker-internals/ to do so.

You may unregister any Service Worker using functionality provided on these pages. Firefox users may disable Service Workers altogether furthermore.

Note that this may impact functionality on sites that use it for legitimate purposes. You need to set the preference dom.serviceWorkers.enabled to false on about:config.

Some browser extensions, e.g. Service Worker Detector for Chrome and Firefox, notify users when a web page registers a Service Worker.

Now You: Should browser developers implement additional safeguards? (via ZDNet)

MarioNET attack lets hackers control your browser, even after you leave the attack page
Article Name
MarioNET attack lets hackers control your browser, even after you leave the attack page
Security researchers created a new web-based attack that uses existing HTML5 APIs to run code on user systems even after users exit attack pages.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. smaragdus said on October 7, 2012 at 8:55 pm

    I have just tested the Wikipedia Book Creator and in works fine. I am pleased that the output format can be EPUB which is far superior than PDF. For me EPUB is the best e-book format, I prefer it to FB2 DJVU and especially over PDF, not to mention Microsoft LIT, Amazon and Mobipocket trash.

  2. benny said on November 2, 2012 at 9:21 am

    they actually had epub export for awhile but then stopped. good to see it’s back.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.