[BreachExchange] New attack lets hackers run bad code despite users leaving web page

Thu Feb 28 08:53:14 EST 2019

http://www.ehackingnews.com/2019/02/new-attack-lets-hackers-run-bad-code.html

Academics from Greece have devised a new browser-based attack that can
allow hackers to run malicious code inside users' browsers even after
users have closed or navigated away from the web page on which they
got infected.

This new attack, called MarioNet, opens the door for assembling giant
botnets from users' browsers. These botnets can be used for in-browser
crypto-mining (crypto jacking), DDoS attacks, malicious files
hosting/sharing, distributed password cracking, creating proxy
networks, advertising click-fraud, and traffic stats boosting,
researchers said.
The MarioNet attack is an upgrade to a similar concept of creating a
browser-based botnet that was described in the Puppetnets research
paper 12 years ago, in 2007.

The difference between the two is that MarioNet can survive after
users close the browser tab or move away from the website hosting the
malicious code.
This is possible because modern web browsers now support a new API
called Service Workers. This mechanism allows a website to isolate
operations that rendering a page's user interface from operations that
handle intense computational tasks so that the web page UI doesn't
freeze when processing large quantities of data.

Technically, Service Workers are an update to an older API called Web
Workers. However, unlike web workers, a service worker, once
registered and activated, can live and run in the page's background,
without requiring the user to continue browsing through the site that
loaded the service worker.

MarioNet (a clever spelling of "marionette") takes advantage of the
powers provided by service workers in modern browsers.

The attack routine consists of registering a service worker when the
user lands on an attacker-controlled website and then abusing the
Service Worker SyncManager interface to keep the service worker alive
after the user navigates away.

The attack is silent and doesn't require any type of user interaction
because browsers don't alert users or ask for permission before
registering a service worker. Everything happens under the browser's
hood as the user waits for the website to load, and users have no clue
that websites have registered service workers as there's no visible
indicator in any web browser.