[Webkit-unassigned] [Bug 204117] Feature: Add support for Periodic Background Sync
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Dec 7 14:09:44 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204117
Maciej Stachowiak <mjs at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #2 from Maciej Stachowiak <mjs at apple.com> ---
We oppose this feature and will not implement it.
Reasons:
(1) We are opposed to Service Worker Background Sync and this extends Background Sync.
(2) We agree with all the reasons that Mozilla stated in considering this specification to be “harmful” <https://github.com/mozilla/standards-positions/issues/214#>.
(3) To be more specific there is a significant privacy risk.
(a) Without a solution for hiding IP addresses, this enables persistent IP-based tracking any time the user grants the permission, and it’s difficult to word a permission dialog in a way the user would understand.
(b) Background Sync allows a web app granted the permission to “phone home” with any sensitive information it obtains through another powerful capability, even if that information is only available temporarily due to a bug, and even if the user doesn’t launch the web app during the exploitability window of the bug.
(4) In addition, we believe there is significant security risk.
(a) Periodic BackgroundSync could be used to build BotNets along the lines in this paper: https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf
(b) More specifically, a mechanism to periodically phone home could turn an installed base of apps into an active BotNet at any time with no prior warning. Even with no further vulnerabilities, it could be used for purposes such as DDOS, CryptoMining or mass fraud (albeit somewhat mitigated by limits on execution time and time).
(c) A mechanism to periodically phone home can be used to greatly extend the attack scope of 0-day vulnerabilities and can make it more efficient to abuse n-day vulnerabilities. Assume a sandbox escape vulnerability usable from a Service Worker is revealed. Periodic background sync allows it to be used against the whole pool of users who have granted the permission right away, perhaps before they have had time to install the patch.
(d) I pointed out a number of similar risks for models with persistent background content (then called "persistent workers") in 2009: https://lists.w3.org/Archives/Public/public-whatwg-archive/2009Jul/0868.html
(e) All these vulnerabilities are exacerbated by the fact that domains and websites can be purchased. Even if the actor registering for periodic background sync is trustworthy at the time, their assets could be purchased at a later time by a malicious entity. For a website, users can simply stop visiting, but with periodic background sync, they may continue to be vulnerable even if they don’t visit/launch any more.
(f) Concerningly, the specification does not even have a Security Considerations section, even though these types of risks have been known for years. Perhaps mitigations to these threats exist, but one wouldn’t know it from reading the spec.
(5) Periodic background execution is likely to harm mobile device battery life, and would be difficult for the user to notice and disable.
(6) Background Sync and Periodic Background Sync appear to be Chromium-only technologies. Background Fetch serves some of the same use cases in a safer way and has wider consensus.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191207/3dcc989b/attachment.htm>
More information about the webkit-unassigned
mailing list