Closed mhofman closed 5 years ago
The periodic sync API didn't get beyond a sketch. It isn't in any browser.
I know that, but that paper and article claim to be using it to achieve persistence. There is no sample code so I don't know what they're actually doing. IMO it's spreading FUD on ServiceWorker in general which may be damaging to the technology.
Also the MDN documentation claims it's actually shipped in Chrome.
Edit: Looks like https://github.com/mdn/browser-compat-data/pull/2058 that was supposed to fix the docs got messed up.
I've posted https://twitter.com/jaffathecake/status/1100319347304734721 to try and clear things up.
Looks like a paper is making the rounds and triggered a news article on ZDNet about abusing the periodicSync API to allow malware stealth and persistence.
There seem to be a lot of misinformation through both the paper and news article, but someone might want to get ahead of it now.
It seems that the paper was also presented this morning at a security symposium , but without a video, I don't know what exactly was said.