Jump to content

MarioNet Browser Attack


Sampei.Nihira

Recommended Posts

Some info in the articles below:

 

https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/

https://www.ghacks.net/2019/02/26/marionet-attack-lets-hackers-control-your-browser-even-after-you-leave-the-attack-page/

 

To check if the Service Workers is active in your browser:

https://browserleaks.com/features

Pale Moon and Basilisk by default does not support Service Workers.
Also I.E.8 does not support Service Workers:

ugXRZ6cl_o.jpg

Edited by Sampei.Nihira
Link to comment
Share on other sites


2 hours ago, Sampei.Nihira said:

Some info in the articles below:

 

https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/

https://www.ghacks.net/2019/02/26/marionet-attack-lets-hackers-control-your-browser-even-after-you-leave-the-attack-page/

 

To check if the Service Workers is active in your browser:

https://browserleaks.com/features

Pale Moon and Basilisk by default does not support Service Workers.
Also I.E.8 does not support Service Workers:

ugXRZ6cl_o.jpg

I am reading this on my phone.

Chrome on my iPhone 6 does not support service workers. Safari, however, does. :no:

Link to comment
Share on other sites

For those who want to take a more detailed test:

 

https://www.wilderssecurity.com/threads/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page.413876/#post-2812242

With Firefox / Pale Moon / New Moon / Basilisk, you do not need to install the extension, you can test directly.

Edited by Sampei.Nihira
Link to comment
Share on other sites

I use Basilisk and used to use Firefox, which have these things turned off by default, and I don't think I've ever needed "service workers" for any Web page I've visited to work.

So why do "service workers" even exist? They seem to do nothing except create a security exposure.

Link to comment
Share on other sites

Just FYI, original ZDNet article got updated:

Quote

UPDATE, February 28: Following the NDSS presentation and this article, Mozilla developers have looked into the reported attack and have concluded that Firefox is currently not susceptible to MarioNet attacks:

"While we are grateful for any responsibly-disclosed analysis or security work that might help us make Firefox a safer, more reliable product, the conclusions of this paper rely on a non-standard extension to ServiceWorkers that Firefox does not support, and we have been unable to replicate these claims in-house," a Mozilla spokesperson told ZDNet. "While we've reached out to the authors of this paper for clarification, we do not believe that Firefox users are affected by this vulnerability."

 

Link to comment
Share on other sites

Sadly, Chromium 54 is affected:

nRYe3Kw.png

 

Unfortunately, in Chrome there is no built-in flag to disable service workers specifically, but service workers works with "cookies/site data" which you can find at chrome://settings/cookies so blocking those actually disables service worker.

The thing is that cookies are actually useful...

Link to comment
Share on other sites

7 hours ago, FranceBB said:

Sadly, Chromium 54 is affected:

nRYe3Kw.png

 

Unfortunately, in Chrome there is no built-in flag to disable service workers specifically, but service workers works with "cookies/site data" which you can find at chrome://settings/cookies so blocking those actually disables service worker.

The thing is that cookies are actually useful...

http://prntscr.com/mth9nv

Opera is affected too though:(

Link to comment
Share on other sites

10 hours ago, FranceBB said:

Sadly, Chromium 54 is affected:

nRYe3Kw.png

 

Unfortunately, in Chrome there is no built-in flag to disable service workers specifically, but service workers works with "cookies/site data" which you can find at chrome://settings/cookies so blocking those actually disables service worker.

The thing is that cookies are actually useful...

With Chrome, you can block Service Workers as long as you block even the Web Workers.
It can be done with the uMatrix extension.
But even with the uBlock Origin extension you only need to set up a rule.

Link to comment
Share on other sites

The Browserleaks website doesn't do anything if javascript is disabled and also it appears the MarioNet thing uses javascript also.

Regarding Chrome, it may not say this specifically but there is a setting in the advance options "Continue running background apps when Google Chrome is closed" which may be related to whether or not it will allow the Service Workers thing to run properly.

Link to comment
Share on other sites

@FranceBB

For Chromium-based browsers under "chrome://serviceworker-internals" the current working scripts can be displayed, stopped and removed with (unregister) until the next call of certain web pages. The following websites were noticed:
When opening a new tab
https://www.4shared.com
https://www.youtube.com

Lastly, only HttpsProxy (ProxAddr and RearPort) helped interpose a proxy (Jana Server) where certain blocklist entries helped

youtube.com/sw.js
serviceworker.js
sw _ *. js

helped put an end to these activities.
μBlock could not block these serviceworker scripts.

Since they have us a real s*** installed in Chrome, which can not be deactivated.

:)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...