An unlikely attack, but one that has major ramifications
Applications that use a local web interface may be susceptible to attacks by malicious service workers.
Decentralized platforms like Augur can be exploited with these service workers, allowing an attacker to take over the entire network infrastructure.
Luckily for developers, this attack first relies on gaining access to a target machine.
Péter Szilágyi, team lead at Ethereum and the security researcher who first pointed out the issue, said the exploit begins when a user logs on to the Augur app through a browser that has had a service worker installed.
“At this point our previously dormant service worker starts executing, hijacking all network fetches between the UI and the backend service,” said Szilágyi, writing in a blog post where he used Augur as an example.
“This permits us to arbitrarily modify the data flow between the user and the service and also permits us to inject arbitrary JavaScript code into the UI itself.”
He added: “In order to hijack Augur however, we need to install a service worker to localhost:8080 in the first place.
“This requires running a malicious web server at least once on the target machine and loading localhost:8080 at least once in the user’s web browser prior to Augur.”
At your service
A service worker is script that acts as a network proxy when a user is offline so that the device may continue operating as if it was connected to the internet. Receiving notifications from a news app is a good example of a service worker in action.
Service workers implement strong security protocols due to their inherent nature of acting as intermediary between user and network – they will only run from HTTPS sites, for instance, or secure origins, and any localhost is considered a secure origin.
The script in this sense can work to facilitate a man-in-the-middle attack on Augur’s decentralized infrastructure, additionally injecting arbitrary JavaScript code into the platform’s design itself.
Szilágyi responsibly disclosed the issue to the trading platform, who is thought to have not considered service workers as a vulnerability. Others have agreed.
“This is not a vulnerability, at all,” security researcher Egot Homakov said on Twitter.
“It’s like saying ‘I hacked app X on your computer because I managed to pwn your computer’.”
He added: “Running a locally served localhost app is one of the best way to do decentralized stuff. Electron is considerably worse, and one XSS away from RCE.
When an attack has shell into your laptop, the last thing to focus on is putting SW in front of some of app. They own everything.”
Szilágyi responded by saying that the potential script worker vulnerability shows how certain browser tech can turn into major problems for developers.
He said: “At the very core, it seems that running the Augur UI in the user’s browser from localhost might not have been the most enlightened decision due to origin clashes.
“Browsers always treat localhost as a special snowflake when it comes to security policies and I can imagine future vulnerabilities might originate from this.”
The Daily Swig has reached out to Augur for comment.