A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage

Progressive web app (PWA) is a kind of web apps, which is designed to enhance users' browsing experience by combining the advantages of a web app's reachability and a native app's diverse functionalities. PWA sites have a special JavaScript file, service worker, which is executed in a different thread from the browser's main page. It thus can support unique functionalities such as offline usage and push service even after the browser is closed. Because of these features, the service worker has been a main target of many web attacks such as a DDOS attack, or abused to generate illegal sites such as darknet sites. However, previous attacks exploiting the push service have limitations in that they need the pre-installation of a malicious service worker or only can passively utilize the existing push notification from the legitimate site (e.g., hijacking the push notification to track users' location). In this study, we propose a novel crafted postMessage attack (CPA) using the postMessage() method, which leverages the benign service worker's push service by exploiting the cross-site scripting (XSS) vulnerability. Unlike the previous attacks, CPA attackers can actively craft push notifications for imitating the legitimate site or enticing victims with a honeyed message. Besides, CPA attackers can sniff users' personal interest (e.g., subscription states as well as browsing histories), and even unsubscribe them to block the receipt of the push notification from the legitimate site. To assess the real-world prevalence of the vulnerability causing CPA, we conduct a measurement study on popular PWA sites based on Tranco list by collecting a total of 9,005 PWA sites from the top 200k sites using a service worker. As a result, we found 376 sites among them are still vulnerable to the XSS attack, and 16 sites out of those 376 sites are vulnerable to our attack in total. We estimated the number of potential victims of CPA, and it turned out that up to 6.5 M users per month are susceptible to our attack. Based on our findings, we discuss the root cause of the vulnerabilities and practical mitigations of our attack.