research-article

Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure

Authors:

WenTao ZhuAuthors Info & Claims

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Pages 629 - 640

https://doi.org/10.1145/2897845.2897901

Published: 30 May 2016 Publication History

Abstract

The postMessage mechanism in HTML5 enables different webpage origins to exchange information and communicate. It becomes increasingly popular among the websites that need to import contents from third-party services, such as advertisements and preferable recommendations. Ideally, a receiver function should be locally implemented in the hosting page that needs to receive third-party messages. However, in the real world, the receiver function is usually provided by a third-party service provider, and the function code is imported via the HTML "script" tag so that the imported code is deemed as from the same origin with the hosting page. In the case that a site uses multiple third-party services, all the receiver functions imported by the hosting page can receive messages from any third-party provider. Based on this observation, we identify a new information leakage threat named DangerNeighbor attacks that allow a malicious service eavesdrop messages from other services to the hosting page.

We study 5000 popular websites and find that the DangerNeighbor attack is a real threat to the sites adopting the postMessage mechanism. To defeat this attack, we propose an easily deployable approach to protect messages from being eavesdropped by a malicious provider. In this approach, the site owner simply imports a piece of JavaScript code and specifies a mapping table, where messages from different origins are associated with corresponding receiver functions, respectively. The approach, which is transparent to the providers, ensures that a receiver function only receives messages from a specific origin.

References

[1]

Alexa, top sites on the web. http://www.alexa.com/topsites.

[2]

Asynchronous javascript and xml. http://www.w3schools.com/ajax/ajax_intro.asp.

[3]

Chrome browser from google. http://www.google.cn/intl/en/chrome/browser/desktop/index.html.

[4]

Chrome extension. https://developer.chrome.com/extensions.

[5]

Gigya, a customer identity management service provider. http://www.gigya.com.

[6]

Html5.1. http://www.w3.org/TR/html5/.

[7]

Hybrid frameworks. https://developer.jboss.org/wiki/GetStartedWithHybridApplicationFrameworks?_sscc=t.

[8]

Javascript object notation. http://www.w3schools.com/json/.

[9]

Mozilla, firefox browser. http://www.mozilla.org.

[10]

Mysql. a popular open source database. http://www.mysql.com/.

[11]

A python module for machine learning built on scipy and distributed under the 3-clause bsd license. http://scikit-learn.org.

[12]

Same origin policy. http://www.w3.org/Security/wiki/Same_Origin_Policy.

[13]

Tf-idf:term frequency and inverse document frequency. https://en.wikipedia.org/wiki/Tf-idf.

[14]

Top 5 security threats in html5. http://www.esecurityplanet.com/trends/article.php/3916381/Top-5-Security-Threats-in-HTML5.htm.

[15]

Xss, "cross-site scripting". owasp. https://www.owasp.org/index.php/XSS.

[16]

A. Acquisti, L. K. John, and G. Loewenstein. What is privacy worth? The Journal of Legal Studies, 42(2):249--274, 2013.

[17]

Z. Bai and J. Qin. Webpage encryption based on polymorphic javascript algorithm. In Proceedings of the Fifth International Conference on Information Assurance and Security, IAS 2009, Xi'An, China, 18--20 August 2009, pages 327--330, 2009.

Digital Library

[18]

A. Barth, C. Jackson, and J. C. Mitchell. Securing frame communication in browsers. In Proceedings of the 17th USENIX Security Symposium, July 28-August 1, 2008, San Jose, CA, USA, pages 17--30, 2008.

Digital Library

[19]

A. Gervais, R. Shokri, A. Singla, S. Capkun, and V. Lenders. Quantifying web-search privacy. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014, pages 966--977, 2014.

Digital Library

[20]

S. Hanna, R. Shin, D. Akhawe, A. Boehm, P. Saxena, and D. Song. The emperor's new apis: On the (in) secure usage of new client-side primitives. In Proceedings of the Web, volume 2, 2010.

[21]

D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in javascript web applications. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4--8, 2010, pages 270--283, 2010.

Digital Library

[22]

X. Jin, X. Hu, K. Ying, W. Du, H. Yin, and G. N. Peri. Code injection attacks on html5-based mobile apps: Characterization, detection and mitigation. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3--7, 2014, pages 66--77, 2014.

Digital Library

[23]

S. Lekies, B. Stock, M. Wentzel, and M. Johns. The unexpected dangers of dynamic javascript. In 24th USENIX Security Symposium, USENIX Security 15, Washington, D.C., USA, August 12--14, 2015., pages 723--735, 2015.

Digital Library

[24]

J. Magazinius, P. H. Phung, and D. Sands. Safe wrappers and sane policies for self protecting javascript. In Information Security Technology for Applications - 15th Nordic Conference on Secure IT Systems, NordSec 2010, Espoo, Finland, October 27--29, 2010, Revised Selected Papers, pages 239--255, 2010.

Digital Library

[25]

L. A. Meyerovich, A. P. Felt, and M. S. Miller. Object views: fine-grained sharing in browsers. In Proceedings of the 19th International Conference on World Wide Web, WWW 2010, Raleigh, North Carolina, USA, April 26--30, 2010, pages 721--730, 2010.

Digital Library

[26]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. V. Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: large-scale evaluation of remote javascript inclusions. In the ACM Conference on Computer and Communications Security, CCS'12, Raleigh, NC, USA, October 16--18, 2012, pages 736--747, 2012.

Digital Library

[27]

L. Olejnik, M. Tran, and C. Castelluccia. Selling off user privacy at auction. In 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23--26, 2014, 2014.

[28]

P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting javascript. In Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, March 10--12, 2009, pages 47--60, 2009.

Digital Library

[29]

S. Son and V. Shmatikov. The postman always rings twice: Attacking and defending postmessage in HTML5 websites. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24--27, 2013, 2013.

[30]

E. Stark, M. Hamburg, and D. Boneh. Symmetric cryptography in javascript. In Twenty-Fifth Annual Computer Security Applications Conference, ACSAC 2009, Honolulu, Hawaii, 7--11 December 2009, pages 373--381, 2009.

Digital Library

[31]

Y. Zhou and D. Evans. Understanding and monitoring embedded web scripts. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17--21, 2015, pages 850--865, 2015.

Digital Library

Cited By

Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Jannett LMladenov VMainka CSchwenk JYin HStavrou ACremers CShi E(2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560692
Khodayari SPellegrino G(2022)The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833637(1590-1607)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833637
Show More Cited By

Index Terms

Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure
1. Security and privacy
  1. Security services
    1. Privacy-preserving protocols

Recommendations

A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessage
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Progressive web app (PWA) is a kind of web apps, which is designed to enhance users’ browsing experience by combining the advantages of a web app’s reachability and a native app’s diverse functionalities. PWA sites have a special JavaScript file, ...
The Clock is Still Ticking: Timing Attacks in the Modern Web
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Web-based timing attacks have been known for over a decade, and it has been shown that, under optimal network conditions, an adversary can use such an attack to obtain information on the state of a user in a cross-origin website. In recent years, ...
Protecting browser state from web privacy attacks
WWW '06: Proceedings of the 15th international conference on World Wide Web

Through a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

May 2016

958 pages

ISBN:9781450342339

DOI:10.1145/2897845

General Chair:
Xiaofeng Chen
Xidian University, China
,
Program Chairs:
XiaoFeng Wang
Indiana University at Bloomington, USA
,
Xinyi Huang
Fujian Normal University, China

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '16

Sponsor:

SIGSAC

ASIA CCS '16: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2016

Xi'an, China

Acceptance Rates

ASIA CCS '16 Paper Acceptance Rate 73 of 350 submissions, 21%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
270
Total Downloads

Downloads (Last 12 months)12
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jeong YLee WHur J(2023)A Honey postMessage, but a Heart of Gall: Exploiting Push Service in Service Workers Via postMessageProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590342(785-796)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3590342
Jannett LMladenov VMainka CSchwenk JYin HStavrou ACremers CShi E(2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560692
Khodayari SPellegrino G(2022)The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833637(1590-1607)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833637
Chinprutthiwong PVardhan RYang GZhang YGu GBilge LDumitras T(2021)The Service Worker Hiding in Your Browser: The Next Web Attack Target?Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471845(312-323)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471845
Knittel LMainka CNiemietz MNoß DSchwenk JKim YKim JVigna GShi E(2021)XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web BrowsersProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484739(1771-1788)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484739
Meiser GLaperdrix PStock BCao JHo Au MLin ZYung M(2021)Careful Who You Trust: Studying the Pitfalls of Cross-Origin CommunicationProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3437510(110-122)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3437510
Guan CLi YSun K(2017)Your Neighbors are Listening: Evaluating PostMessage Use in OAuth2017 IEEE Symposium on Privacy-Aware Computing (PAC)10.1109/PAC.2017.30(210-211)Online publication date: Aug-2017
https://doi.org/10.1109/PAC.2017.30

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten