Please use this identifier to cite or link to this item: https://hdl.handle.net/20.500.14279/31090
Title: Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage
Authors: Karami, Soroush 
Ilia, Panagiotis 
Polakis, Jason 
Major Field of Science: Engineering and Technology
Field Category: Electrical Engineering - Electronic Engineering - Information Engineering
Keywords: Application level;Firefox;Large-scale studies;Non destructive;Privacy leakages;Sensitive application;Site-isolation;Social graphs;Strategic placement;Workers
Issue Date: 1-Jan-2021
Source: 28th Annual Network and Distributed System Security Symposium, NDSS 2021Virtual, Online, 21 - 25 February 2021
Conference: 28th Annual Network and Distributed System Security Symposium, NDSS 2021 
Abstract: Service workers are a powerful technology supported by all major modern browsers that can improve users' browsing experience by offering capabilities similar to those of native applications. While they are gaining significant traction in the developer community, they have not received much scrutiny from security researchers. In this paper, we explore the capabilities and inner workings of service workers and conduct the first comprehensive large-scale study of their API use in the wild. Subsequently, we show how attackers can exploit the strategic placement of service workers for history-sniffing in most major browsers, including Chrome and Firefox. We demonstrate two novel history-sniffing attacks that exploit the lack of appropriate isolation in these browsers, including a nondestructive cache-based version. Next, we present a series of use cases that illustrate how our techniques enable privacy-invasive attacks that can infer sensitive application-level information, such as a user's social graph. We have disclosed our techniques to all vulnerable vendors, prompting the Chromium team to explore a redesign of their site isolation mechanisms for defending against our attacks. We also propose a countermeasure that can be incorporated by websites to protect their users, and develop a tool that streamlines its deployment, thus facilitating adoption at a large scale. Overall, our work presents a cautionary tale on the severe risks of browsers deploying new features without an in-depth evaluation of their security and privacy implications.
URI: https://hdl.handle.net/20.500.14279/31090
ISBN: 1891562665
DOI: 10.14722/ndss.2021.23104
Rights: © 28th Annual Network and Distributed System Security Symposium
Attribution-NonCommercial-NoDerivatives 4.0 International
Type: Conference Papers
Affiliation : University of Illinois at Chicago 
Appears in Collections:Δημοσιεύσεις σε συνέδρια /Conference papers or poster or presentation

CORE Recommender
Show full item record

SCOPUSTM   
Citations

22
checked on Mar 14, 2024

Page view(s)

80
Last Week
0
Last month
6
checked on Dec 25, 2024

Google ScholarTM

Check

Altmetric


This item is licensed under a Creative Commons License Creative Commons