Categorizing Service Worker Attacks and Mitigations

TL;DR

This work systematically catalogs service worker (SW) attack vectors, reproduces known abuses, and introduces new abuse paths, organizing them into a taxonomy anchored to fundamental SW features. It analyzes when these attacks have appeared and how browser mitigations have evolved, producing an attacks-and-mitigations timeline and identifying open security problems. The authors implement proof-of-concept policies in Chromium and build a SW-forensics engine to measure real-world SW behavior, demonstrating that stricter SW security can be enforced with limited disruption to legitimate sites. In-the-wild measurements on thousands of popular sites reveal that while most SW usage remains benign, a non-trivial fraction exhibit patterns that could be curtailed by policy-driven controls, informing practical threshold choices. Overall, the paper argues for a least-privilege, policy-driven approach to SW security, combining monitoring, CSP enhancements, scope-based isolation, and UI safeguards to mitigate abuse without crippling legitimate PWAs.

Abstract

Service Workers (SWs) are a powerful feature at the core of Progressive Web Apps, namely web applications that can continue to function when the user's device is offline and that have access to device sensors and capabilities previously accessible only by native applications. During the past few years, researchers have found a number of ways in which SWs may be abused to achieve different malicious purposes. For instance, SWs may be abused to build a web-based botnet, launch DDoS attacks, or perform cryptomining; they may be hijacked to create persistent cross-site scripting (XSS) attacks; they may be leveraged in the context of side-channel attacks to compromise users' privacy; or they may be abused for phishing or social engineering attacks using web push notifications-based malvertising. In this paper, we reproduce and analyze known attack vectors related to SWs and explore new abuse paths that have not previously been considered. We systematize the attacks into different categories, and then analyze whether, how, and estimate when these attacks have been published and mitigated by different browser vendors. Then, we discuss a number of open SW security problems that are currently unmitigated, and propose SW behavior monitoring approaches and new browser policies that we believe should be implemented by browsers to further improve SW security. Furthermore, we implement a proof-of-concept version of several policies in the Chromium code base, and also measure the behavior of SWs used by highly popular web applications with respect to these new policies. Our measurements show that it should be feasible to implement and enforce stricter SW security policies without a significant impact on most legitimate production SWs.

Figures (5)

• Figure 1: Approximate timeline of attacks publication and mitigations. The $\infty$ symbol denotes new attacks discovered in this paper, which are not yet mitigated. Notice that some mitigations were implemented before official attack publication, perhaps thanks to responsible disclosure (the '*' next to WebBot denotes that a mitigation was described in online documentation related to Firefox, but our own tests show the attack appears to still be possible on that browser).
• Figure 2: SW behavior measurements. Each graph displays the distribution (CDF) of occurrences of an event within a specific time window: a) Push count per hour; b) Push count per day; c) Third-party fetch count per SW activation; d) SW execution time per activation (in minutes); e) SW execution time per day (in minutes).
• Figure 3: Examples of spam/malicious notifications
• Figure 4: Third-Party(TP) Imports (a) Count of TP imported domains per SWs (b) Top 10 TP domains imported by SWs
• Figure 5: Example of double permission prompt in use on a popular website.