Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation
After victims get compromised, the attacker can instrument them to perform a diverse set of attacks in users’ web browsers, which can be categorized in three models, as shown in the Figure below: (a) force victims to visit to a selected server or URL, for DDoS attack or fake ad-impressions, (b) enable victims to request computations, such as cryptocurrency mining or password cracking, and (c) deploy illegal services, such as illicit file hosting or hidden/anonymized communications. More technical details can be found in our paper.
The issue was made public by many browser vendors in November 2018, which were dealing with it internally at the same time we were working on our MarioNet prototype [1 ], . The first fixes have started being released since the end of July, and were mainly restricting the number of events (such as fetch, push, sync, etc.) that a Service Worker can receive. These events were used by our attack model to keep the Service Worker alive. Currently, the expected behavior for a Service Worker is to get only one event and then gets terminated soon after that. That means that the Service Worker can stay alive only for about one minute after the user navigates away from the website, significantly limiting the lifetime of an infected user.