New browser attack lets hackers run bad code even after users leave a web page

MarioNet attack lets hackers create botnets from users' browsers.
Written by Catalin Cimpanu, Contributor on

Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected.

This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.

The MarioNet attack is an upgrade to a similar concept of creating a browser-based botnet that was described in the Puppetnets research paper 12 years ago, in 2007.

The difference between the two is that MarioNet can survive after users close the browser tab or move away from the website hosting the malicious code.

This is possible because modern web browsers now support a new API called Service Workers. This mechanism allows a website to isolate operations that rendering a page's user interface from operations that handle intense computational tasks so that the web page UI doesn't freeze when processing large quantities of data.

Technically, Service Workers are an update to an older API called Web Workers. However, unlike web workers, a service worker, once registered and activated, can live and run in the page's background, without requiring the user to continue browsing through the site that loaded the service worker.

MarioNet (a clever spelling of "marionette") takes advantage of the powers provided by service workers in modern browsers.

The attack routine consists of registering a service worker when the user lands on an attacker-controlled website and then abusing the Service Worker SyncManager interface to keep the service worker alive after the user navigates away.

The attack is silent and doesn't require any type of user interaction because browsers don't alert users or ask for permission before registering a service worker. Everything happens under the browser's hood as the user waits for the website to load, and users have no clue that websites have registered service workers as there's no visible indicator in any web browser.

Furthermore, a MarioNet attack is also disjointed from the point of attack. For example, attackers can infect users on Website A, but they later control all the service workers from Server B.

Image: Papadopoulos et al.

This allows attackers to place malicious code for a short period of time on high-traffic websites, gain a huge userbase, remove the malicious code, but continue to control the infected browsers from another central server.

In addition, the MarioNet attack can also persist across browser reboots by abusing the Web Push API. However, this would require the attacker from getting user permission from the infected hosts to access this API.

The subsequent botnet created via the MarioNet technique can then be used for various criminal endeavors, such as in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting.

Neither the original MarioNet attack or the subsequent botnet operations require attackers to exploit browser vulnerabilities, but merely abuse existing JavaScript execution capabilities and new HTML5 APIs.

For example, using infected MarioNet bots for file hosting requires using built-in data storage APIs already available inside browsers that let websites store and retrieve files from a user's computer. This makes detecting any MarioNet infects and subsequent attacks almost impossible.

Because Service Workers have been introduced a few years back, the MarioNet attack also works in almost all desktop and mobile browsers. The only ones were a MarioNet attack won't work are IE (desktop), Opera Mini (mobile), and Blackberry (mobile).

MarioNet compatibility
Image: Papadopoulos et al.

In their research paper, the research crew also describes methods through which MarioNet could avoid detected by anti-malware browser extensions and anti-mining countermeasures, and also puts forward several mitigations that browser makers could take.

The MarioNet attack will be presented today at the NDSS 2019 conference in San Diego, USA. More details about MarioNet are available in an accompanying research paper entitled "Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation," available for download in PDF format from here.

UPDATE, February 28: Following the NDSS presentation and this article, Mozilla developers have looked into the reported attack and have concluded that Firefox is currently not susceptible to MarioNet attacks:

"While we are grateful for any responsibly-disclosed analysis or security work that might help us make Firefox a safer, more reliable product, the conclusions of this paper rely on a non-standard extension to ServiceWorkers that Firefox does not support, and we have been unable to replicate these claims in-house," a Mozilla spokesperson told ZDNet. "While we've reached out to the authors of this paper for clarification, we do not believe that Firefox users are affected by this vulnerability."

All the Chromium-based browsers

More browser coverage:

Editorial standards