A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage

Yeomin Jeong, Woonghee Lee, Junbeom Hur

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Progressive web app (PWA) is a kind of web apps, which is designed to enhance users' browsing experience by combining the advantages of a web app's reachability and a native app's diverse functionalities. PWA sites have a special JavaScript file, service worker, which is executed in a different thread from the browser's main page. It thus can support unique functionalities such as offline usage and push service even after the browser is closed. Because of these features, the service worker has been a main target of many web attacks such as a DDOS attack, or abused to generate illegal sites such as darknet sites. However, previous attacks exploiting the push service have limitations in that they need the pre-installation of a malicious service worker or only can passively utilize the existing push notification from the legitimate site (e.g., hijacking the push notification to track users' location). In this study, we propose a novel crafted postMessage attack (CPA) using the postMessage() method, which leverages the benign service worker's push service by exploiting the cross-site scripting (XSS) vulnerability. Unlike the previous attacks, CPA attackers can actively craft push notifications for imitating the legitimate site or enticing victims with a honeyed message. Besides, CPA attackers can sniff users' personal interest (e.g., subscription states as well as browsing histories), and even unsubscribe them to block the receipt of the push notification from the legitimate site. To assess the real-world prevalence of the vulnerability causing CPA, we conduct a measurement study on popular PWA sites based on Tranco list by collecting a total of 9,005 PWA sites from the top 200k sites using a service worker. As a result, we found 376 sites among them are still vulnerable to the XSS attack, and 16 sites out of those 376 sites are vulnerable to our attack in total. We estimated the number of potential victims of CPA, and it turned out that up to 6.5 M users per month are susceptible to our attack. Based on our findings, we discuss the root cause of the vulnerabilities and practical mitigations of our attack.

Original languageEnglish
Title of host publicationASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Number of pages12
ISBN (Electronic)9798400700989
Publication statusPublished - 2023 Jul 10
Event18th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2023 - Melbourne, Australia
Duration: 2023 Jul 102023 Jul 14

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221


Conference18th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2023

Bibliographical note

Publisher Copyright:
© 2023 ACM.


  • Service worker
  • Web Security
  • postMessage

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications


Dive into the research topics of 'A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage'. Together they form a unique fingerprint.

Cite this