This @ZDNet article is full of technical errors, but I read the original security paper. With less errors, there are several misconceptions and at least the claim is too optimistic. They claim they can keep a SW running in the back running malicious codehttps://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/ …
-
Show this thread
-
The original white paper (PDF) https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf …
1 reply 0 retweets 0 likesShow this thread -
They mixed up Background Sync and Periodic Sync. They believe Background Sync is part of the SW spec, therefore available everywhere which is not true
1 reply 0 retweets 2 likesShow this thread -
They claimed they can keep a service worker up and running for long time using SyncManager with no details on how.
1 reply 0 retweets 1 likeShow this thread -
They use XMLHttpRequest, jQuery's get (what's the difference?) and Web Sockets. All those APIs need an actual client and can't be used within the SW. No mention to the fetch api that doesn't need a client

1 reply 0 retweets 2 likesShow this thread -
Also, they talk about keeping the SW running malicious code for more time, sending push after a permission was granted with social engineering techniques, in silent. And what about the visible notification??
1 reply 0 retweets 1 likeShow this thread -
The apparent vulnerability uses iframes. Authors said they didn't test on Safari because of "performance issues". But it's the only browser with a mitigation solution for iframes and SWs (partitions). And Background Sync is not there.
1 reply 0 retweets 0 likesShow this thread -
Maybe they have a point and there is a security hole to exploit somewhere but the paper is not technically accurate and it's difficult to take it seriously. The point is not clear at all and the claim is not true as its stated right now.
1 reply 2 retweets 11 likesShow this thread
I could not understand the proposed attack after close reading of the paper. SW timer exhaustion logic could have bugs, but we considered all the proposed angles.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.