Advanced APIs are two sided swords
The computing evolution brought the development of sophisticated Application Program Interface (APIs) which are sets of routines, advanced protocols, and tools for building software applications and specifying the interaction of software components.
In our digitlised world various APIs have been developed for the provision of all advanced Cloud, IoT, Big Data and telecom services; they are utilized by web applications allowing users to navigate through interactive maps and 3D environments, receive timely updates or even directly connect to other browsers for peer-to-peer audio or video communication. There are two types of APIs (i) the ones that built into the web browsers (browser APIs) e.g. the Web Audio API provides JavaScript constructs for manipulating audio in the browser; and (ii) the APIs that need to be retrieved from the Web (third party APIs). Browser APIs are used to manipulate documents into the browser, fetch data from the server, draw and manipulate graphics and multimedia, play audio, video etc.; manipulate data from modern device hardware in a way that is useful for web apps and they store data on the client-side (even when the device is offline).
All these advancements of modern APIs do not come without a burden, there are vulnerable to many threats brought from the highly dynamic nature of the JavaScript, which does not enable extensive security checking. The paper “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation” raises awareness about a new class of attacks and the need for advanced browser APIs that they will provide a more secure client-side environment for web applications. The authors (P.Papadopoulos, P. Ilia, M. Polychronakis, E. Markatos, S. Ioannidis, and G. Vasiliadis) reveal that a fundamental security problem of web applications is that by default the publisher is considered as trusted, and thus is allowed to run JavaScript code (even third party APIs) on the user side without any restrictions.
In this paper, a browser-based botnet framework, called MarioNet, is presented, demonstrating the vulnerabilities and attacks that can be conducted. In particular MarioNet enables adversaries to control remotely a user’s browser, hijacks his device resources, forces browsers into unwanted computation on a user’s machine, or harmful operations, (i.e. cryptocurrency mining, password-cracking, and DDoS) through the performance of a variety of distributed attacks. MarioNet allows adversaries to commit attacks by taking advantage of vulnerable APIs and third-party libraries which are exploited and compromised to redirect the user to a new tab (e.g. using popunders or clickjacking) where it can register its own service worker bound to a third-party domain. MarioNet is shown to employ such attacks by compromising the visited website feeding the malicious JavaScript code directly into the page loaded with poisoned content from third parties (e.g. using redirect scripts, social engineering methods) or hosting malware software. The authors have evaluated MarioNet engaging several popular browsers and hardware settings demonstrating the feasibility of the underlined attacks where various resources were abused. The paper aims to raise the challenge of reconsidering the trust level of web publishers and security of modern browser APIs’ that their rich features draw the attention of miscreants to take advantage and abuse users’ browsers.