A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed.
To demonstrate the attack, researchers from FORTH (Foundation for Research and Technology), Greece, and Stony Brook University, U.S., built MarioNet, a framework that allows a malicious third party to control the visitor’s browser for cryptocurrency mining, password-cracking, and distributed denial of service (DDoS) attacks.
In a paper (PDF) detailing the attack, the researchers explain that MarioNet relies solely on already available HTML5 APIs and that it does not require the installation of additional software. This also means that it can be used on all major browsers.
The attack is both persistent and stealthy, as it continues in the background of the browser even after the user closes the window or tab of the malicious website. However, it cannot survive browser reboots.
“MarioNet goes beyond existing approaches and demonstrates how malicious publishers can launch persistent and stealthy attacks. This is possible by allowing malicious actors to continue having control of the victim’s browser even after the user browses away from a malicious or infected website, and by bypassing most of the existing in-browser detection mechanisms,” the paper reads.
The framework has two main parts, namely an in-browser component and a remote command and control system. Unlike typical botnets, MarioNet doesn’t exploit implementation flaws on the target system, but relies on JavaScript capabilities and HTML5 APIs, which makes it compatible with most desktop and mobile browsers.
Courtesy of isolation from the visited website, the system allows fine-grained control of the utilized resources and can continue its operation in the background even after the parent tab was closed, thus achieving persistence. Moreover, it can avoid detection by browser extensions that try to monitor the webpage’s activity or outgoing communication, the researchers note.
Possible defense mechanisms include restricting or disabling service workers, or restricting the browser from fetching and deploying service workers, or requiring the user’s permission for the registration and activation of a service worker. Signature-based detection and behavioral analysis and anomaly detection systems should also prevent such attacks.
The attack can be launched through malicious websites, compromised domains, and through dynamic content in iframes, meaning that it is actually easy for an attacker to leverage it, the researchers say.
“Essentially, our work demonstrates that the trust model of web, which considers web publishers as trusted and allows them to execute code on the client-side without any restrictions is flawed and needs reconsideration,” the paper reads.
Related: Websites Can Exploit Browser Extensions to Steal User Data
