Fakultät für Informatik und Mathematik
MIP-1603

MIP-1603

Paper Description: MIP 1603
BibTeX entry:
@incollection{MIP-1603,
author={J. D. Parra Rodriguez, J. Posegga},
title={{Abusing Web Browsers for Hidden Content Storage and Distribution}},
institution={{Fakult{\ät} f{\ü}r Informatik und Mathematik, Universit{\¨at}t Passau}},
year={2016},
number={MIP-1603}
}

Abstract:
An existent gap in the underlying security assumptions taken forthe WebRTC and postMessage APIs led us to find a novel attack abusing the browsers’ persistent storage capabilities. The presented attack can be executed without the website’s visitor knowledge, and it requires neither browser vulnerabilities nor additional software on the browser’s side.
To exemplify the power of the attack, we use browsers to create a network for persistent storage and distribution of arbitrary data. In our proof of concept, the total storage of the network, and therefore
the space used within each browser, grows linearly with the number of origins delivering the malicious JavaScript code. Further, data transfers between browsers are not restricted by the Same Origin Policy,
which allows for a unified cross-origin browser network, regardless of the origin from which the script executing the functionality is loaded from.
In the course of our work, we assess the feasibility of a real-life deployment of the network by running experiments using Linux containers, browser automation tools, and custom-made software. More-
over, we lay the groundwork towards possible countermeasures and illustrate why thwarting the proposed attack is a difficult research challenge.

Paper itself:
- MIP-1603.pdf