search

WICG / background-sync

A design and spec for ServiceWorker-based background synchronization
https://wicg.github.io/background-sync/spec/
Apache License 2.0
640 stars 85 forks source link

Paper on abuse of Period Sync #150

Closed mhofman closed 5 years ago

mhofman commented 5 years ago

Looks like a paper is making the rounds and triggered a news article on ZDNet about abusing the periodicSync API to allow malware stealth and persistence.

There seem to be a lot of misinformation through both the paper and news article, but someone might want to get ahead of it now.

It seems that the paper was also presented this morning at a security symposium , but without a video, I don't know what exactly was said.

jakearchibald commented 5 years ago

The periodic sync API didn't get beyond a sketch. It isn't in any browser.

mhofman commented 5 years ago

I know that, but that paper and article claim to be using it to achieve persistence. There is no sample code so I don't know what they're actually doing. IMO it's spreading FUD on ServiceWorker in general which may be damaging to the technology.

mhofman commented 5 years ago

Also the MDN documentation claims it's actually shipped in Chrome.

Edit: Looks like https://github.com/mdn/browser-compat-data/pull/2058 that was supposed to fix the docs got messed up.

jakearchibald commented 5 years ago

I've posted https://twitter.com/jaffathecake/status/1100319347304734721 to try and clear things up.