New browser attack lets hackers run bad code even after users leave a web page

Discussion in 'other security issues & news' started by mood, Feb 25, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,188
    New browser attack lets hackers run bad code even after users leave a web page
    February 25, 2019
    https://www.zdnet.com/article/new-b...n-bad-code-even-after-users-leave-a-web-page/
    Paper: "Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation"
    (PDF - 814 KB): https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Huh. In Firefox 60.3.0esr (64-bit) about:config, I found "dom.serviceWorkers.enabled;false". But I found "dom.webnotifications.serviceworker.enabled;true", so I toggled it to "false".

    I found "devtools.browserconsole.filter.serviceworkers;false" and "devtools.webconsole.filter.serviceworkers;false". But they're bold, so something (not me) must have toggled them. NoScript, maybe?
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    Hi,
    Noscript has not changed your preferences value.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Any idea what?

    NoScript does change some things, if you change its defaults. Such as WebGL.
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    @ To All

    To check use the Browserleaks test:

    500.JPG

    Pale Moon by default does not support Service Workers.
    Also my I.E.8 does not support Service Workers.:D
     
    Last edited: Mar 3, 2019
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    Unfortunately not.
    I do not use Noscript with default settings.
    ;)

    ___________________________________________

    I asked in the Pale Moon forum if the parameters should be left "true" or switched to "false".

    https://forum.palemoon.org/viewtopic.php?f=4&p=162903#p162903
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,395
    Location:
    Member state of European Union
    Since I heard about Service Worker I wondered about this possibility. Persistence across browser reboots however surprised me.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    I've also set dom.serviceWorkers.enabled=false. Note that uBlock Origin and AdBlock Plus can also block serviceworkers by filtering behind-the-scene requests - see here. In uBO @gorhill removed the default whitelisting of behind-the-scene requests as serviceworkers can also be used to bypass adblockers. An example where blocking serviceworkers was necessary is this. The corresponding ABP documentation is here.

    EDIT: Following this example it should be possible to block serviceworkers in uBO and allow them for some specific sites only with the following filter:

    Code:
    *$csp=worker-src 'none',domain=~example.com|~other.example.net|~different.example.org
    I haven't tested that yet. Perhaps @gorhill can confirm that this rule is correct?

    EDIT 2: I just tested it on https://browserleaks.com/features with dom.serviceWorkers.enabled=true and with

    *$csp=worker-src 'none'

    in uBO but the ServiceWorker API is shown as enabled. It's still possible that uBO would indeed block serviceworkers. How can this be properly tested?
     
    Last edited: Mar 3, 2019
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    I think you want to do a test with Chrome:

    1) Install the extension "Service Worker Detector".

    2) https://html5workertest.com/


    100a.jpg

    You need to disable your HTML5 Canvas protection.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    :thumb:
    With Firefox / Pale Moon / New Moon / Basilisk, you do not need to install the extension, you can test directly.
     
  12. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,395
    Location:
    Member state of European Union
    @summerheat
    Does uMatrix or NoScript provide any protection for that threat?
     
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    I state that I am not an expert on uMatrix.:isay:

    The global rule:

    no-workers: * true

    allows you to block all Web Workers.
    Service Workers are also blocked.

    I have no idea if this rule can be adapted to uBlock Origin.

    My Test with Chrome:



    500.jpg
     
  14. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    I don't know about Noscript. But uMatrix supports blocking web workers (which includes service workers) with a per-scope switch. As mentioned in that wiki article you have to manually create a rule in My Rules if you want to block them globally.

    Btw., what I wrote above regarding the necessary rules in uBO is in accordance with what is outlined here.

    EDIT: And yes, the filter
    Code:
    *$csp=worker-src 'none'
    seems to work according to the uBO logger (example site).

    EDIT2: And after modifiying that filter for above example to
    Code:
    *$csp=worker-src 'none',domain=~heise.de
    web workers are no longer blocked. Great :thumb:
     
    Last edited: Mar 4, 2019
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    We have found that even a popular service like Youtube activates Service Workers.
     
  16. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,395
    Location:
    Member state of European Union
    https://www.zdnet.com/article/new-b...n-bad-code-even-after-users-leave-a-web-page/
     
  17. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    Well, the crucial question is if blocking them breaks that website. If it does you can still allow it as an exception.
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    Not everyone using Chrome / Opera / Chromium ..... will benefit from blocking Service Workers with uMatrix and UBO.
    Heinoganda discovered in OS such as XP and Vista the block is non-existent.

    I have not personally tried this test.
    If there is any user of Wilders who wants to try.....:thumb:

    I would therefore like to recommend these users to use only Firefox based browsers.
     
  19. Pharao

    Pharao Registered Member

    Joined:
    Oct 8, 2014
    Posts:
    81
    For those using Firefox or something else based on its code, it makes absolutely no sense to block ServiceWorkers with an extension.
    Simply disable ServiceWorkers in about:config. It's the cleanest approach.
    Whether ServiceWorkers in Firefox are a security threat or not, it's a good idea to disable them. No site should become broken because of that.
     
  20. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    While I generally agree, I've come across sites which are broken. Hence, disabling service workers with an add-on gives you the flexibility to allow them on those specific sites.
     
  21. Pharao

    Pharao Registered Member

    Joined:
    Oct 8, 2014
    Posts:
    81
    As a general rule of thumb blocking instead of disabling will result in wasted bandwith and resources. Some sites will even render faulty in case of blocked JavaScript while they are OK with JavaScript disabled. For better understanding please read last chapter (9) of a FAQ: https://add0n.com/javascript-toggler.html
    Since WebExtensions forbid access to internal preferences, extension writers are forced as a workaround to block features instead of disabling them.
    It's one of the major shortcoming of WebExtensions and their ability to provide perfect control over your browser.

    Can you please give examples of sites which are broken ( and I don't mean features lie push notifications) because of disabled ServiceWorkers?
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,308
    Location:
    Canada
    There is a research paper that questions the viability of the Marionet attack here

     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,130
    Location:
    Italy
    Almost certainly, disabling the Service Workers does not cause any problems.
    Instead, disabling Web Workers breaks some websites.
    Also the last release of the Ghacks user.js disables the Web Workers (section 2300).

    Raymond Hill mentions that disabling Web Workers allows you to get benefits even in security:

    https://github.com/gorhill/uMatrix/releases/tag/1.2.0

    So at this point I'm curious to determine if it is better to block the Web Workers or not.:thumb:

    @ to all

    Do we open a poll?
     
  24. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,395
    Location:
    Member state of European Union
    Service Workers are part of W3C standard, so developers may expect them to be available.
     
  25. Pharao

    Pharao Registered Member

    Joined:
    Oct 8, 2014
    Posts:
    81
    I couldn't care less what Google & Co enforces for W3C standards.
    I'm not keen of connections behind my back, connections I have no control over, whatever some developers expect. Period.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.