Dormant service-worker attack - any mitigation possible?
Clash Royale CLAN TAG#URR8PPP
Dormant service-worker attack - any mitigation possible?
Looking at this article:
https://medium.com/@peter_szilagyi/augur-hijack-via-dormant-service-workers-bea254258f98
the author discloses an attack to localhost
-run decentralized apps via dormant web workers. He shows it in the context of the Augur
platform, but it applies to any decentralized app which wants to run its interface via localhost
.
localhost
Augur
localhost
Now, granted, the attack is only possible if the attacker manages to install a malicious web server on the target machine first, which then would install the malicious service worker code. One could say this is unlikely, and if the case, then the system is severely compromised anyways.
But in the context of crypto-currencies and decentralized applications, it could well be the intention of an attacker to not be noticed of having breached the target system. In that case the targeted user is in serious trouble, as the malicious code could be providing false information, and even try to get hold of funds etc.
One possible solution I thought of:
* Remove any running service worker when loading the site from localhost. This script does that: How do I uninstall a Service Worker?.
But essentially the malicious code would easily be able to get around that.
Any other possible solution?
P.S. I am aware that the question may be downvoted/closed. Nevertheless I believe it's very relevant, important and related to programming. Judge yourself :)
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.