Local Storage on Steroids: Abusing Web Browsers for Hidden Content Storage and Distribution

Analysing security assumptions taken for the WebRTC and postMessage APIs led us to find a novel attack abusing the browsers’ persistent storage capabilities. The presented attack can be executed without the website’s visitor knowledge, and it requires neither browser vulnerabilities nor additional software on the browser’s side. To exemplify this, we study how can an attacker use browsers to create a network for persistent storage and distribution of arbitrary data.