Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

MarioNet: A browser-based attack that allows hackers to run malicious code even if users’ exit a web page

Save for later
  • 3 min read
  • 28 Feb 2019

article-image

If you think closing down a website, closes down the possibility of the device being tracked, then you are wrong! Some Greek researchers have revealed a new browser-based attack named MarioNet, using which attackers can run malicious code inside users' browsers even after users have closed the webpage or even navigated away from the web page on which they got infected.

The researchers in the paper titled, “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation” have also explained different anti-malware browser extensions and anti-mining countermeasures, and also puts forward several mitigations that browser makers could take. The MarioNet attack was presented on February 25 at the NDSS 2019 conference in San Diego, USA.

MarioNet allows hackers to assemble giant botnets from users’ browsers. The researchers state that these bots can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting.

Even after a user exits a browser or web page, MarioNet can easily survive. This is because modern web browsers support a new API called Service Workers. “This mechanism allows a website to isolate operations that rendering a page's user interface from operations that handle intense computational tasks so that the web page UI doesn't freeze when processing large quantities of data”, the ZDNet reports.

In their research paper, they explain technical details of how service workers are an update to an older API called Web Workers. They say, unlike web workers, a service worker, once registered and activated, can live and run in the page's background, without requiring the user to continue browsing through the site that loaded the service worker.

The attack routine consists of registering a service worker when the user lands on an attacker-controlled website and then abusing the Service Worker SyncManager interface to keep the service worker alive after the user navigates away.

The attack doesn't require any type of user interaction as browsers don't alert users or ask for permission before registering a service worker. Everything happens under the browser's hood as the user waits for the website to load.

MarioNet allows attackers to place malicious code on high-traffic websites for a short period of time. This allows the attackers to gain a huge user base, remove the malicious code, but continue to control the infected browsers from another central server.

The attack can also persist across browser reboots by abusing the Web Push API. This requires the attacker from getting user permission from the infected hosts to access this API.

The researchers also highlighted the fact that as Service Workers have been introduced a few years back, the MarioNet attack also works in almost all desktop and mobile browsers. Places, where a MarioNet attack won't work, are IE (desktop), Opera Mini (mobile), and Blackberry (mobile).

To know more about MarioNet attack in detail, read the complete research paper.


New research from Eclypsium discloses a vulnerability in Bare Metal Cloud Servers that allows attackers to steal data

Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3

Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime