MarioNET attack lets hackers control your browser, even after you leave the attack page
The rise of web technologies opened up new possibilities on the Internet. Browsers have become more powerful as new APIs landed and support for certain features was introduced.
A new attack, called MarioNET by the researchers that discovered it, highlights that APIs may also be abused if no proper safeguards are in place (which is the case right now).
The attack relies on existing HTML5 APIs that all modern web browsers support. It does not require the installation of software or user interaction, and persists even after the user leaves the web page the attack originated on.
The attacker may abuse the resources of the computer for all kinds of activities including DDOS attacks, crypto-mining operations, or password cracking.
Update: You find a critical voice that argues against the scenario described in the research paper here. The main point of criticism is that the attack method relies on a feature called PeriodicSync and that it is not part of any specification at this point. End
MarioNET uses Service Workers, scripts that run separate from visited web pages and in the background, in the attack. The main idea behind Service Workers is to move certain computations to a separate thread so that it is not blocking or slowing down the app or web page the user interacts with.
The lifecycle of Service Workers is completely independent from the page they were created on. Service Workers don't have access to the DOM (Document Object Model) of the web page and parent page variables and functions.
The use of Service Workers isolates the system from the originating website, gives persistent control to the attacker, and makes it difficult for users to detect what is going on.
In particular, our system fulfills three important objectives:
(i) isolation from the visited website, allowing fine-grained control of the utilized resources; (ii) persistence, by continuing its operation uninterruptedly on the background even after closing the parent tab; and (iii) evasiveness, avoiding detection by browser extensions that try to monitor the webpage’s activity or outgoing communication.
MarioNET registers a service worker when a user visits a webpage attacks can originate on. Possibilities to spread the attack include creating malicious websites, hacking sites, or using advertisements.
Browsers provide little information to users about Service Workers; in fact, browsers don't highlight the creation of new service workers on sites to users. There is no alert, no prompt, and not even an option to display a prompt to ask for user permission when service workers are created.
The only request that reveals the existence of the service worker is the initial GET request at the time of the user’s first website visit, when the service worker gets initially registered. Although during that GET request a monitoring extension can observe the contents of the service worker, it will still not observe any suspicious code—the code that will carry out the malicious tasks is delivered to the Servant only after its first communication with the Puppeteer, and this communication is hidden from browser extensions
What makes MarioNET particularly troubling is that it continues to run in the background after the user closes the website the attack originated on. The control ends when the web browser is closed; the researchers found a way to overcome this as well, but it requires user interaction as it uses the Web Push API to do so.
Most modern browsers include options to display existing Service Workers. Firefox users may load about:serviceworkers or about:debugging#workers and Chrome users may load chrome://serviceworker-internals/ to do so.
You may unregister any Service Worker using functionality provided on these pages. Firefox users may disable Service Workers altogether furthermore.
Note that this may impact functionality on sites that use it for legitimate purposes. You need to set the preference dom.serviceWorkers.enabled to false on about:config.
Now You: Should browser developers implement additional safeguards? (via ZDNet)Advertisement