DangerNeighbor attack: Information leakage via postMessage mechanism in HTML5

Abstract The postMessage mechanism in HTML5 enables webpages with different origins to communicate with each other on a hosting webpage. When the hosting webpage contains multiple receiver functions from different origins, all receiver functions can receive any messages sent to this webpage. However, if one receiver function is malicious and may deliberately eavesdrop on all messages sent to the hosting webpage, there exists a risk of information leakage. In this paper, we perform a systematic study on this new type of information leakage threat named DangerNeighbor attack, which can eavesdrop messages sent through postMessage by inserting a malicious receiver function into the hosting page. We implemented two proof of concept prototypes of DangerNeighbor attacks using malicious third party service provider and malicious browser extension , respectively. To evaluate the feasibility of DangerNeighbor attack, we study Alexa top 5000 websites and 1200 Chrome extensions, and our analysis results verify the wide existence of postMessage vulnerability in the wild. Particularly, we perform a case study of DangerNeighbor attack against the OAuth access token. We find that 39.61% of websites using Facebook OAuth and 23.38% of websites using Google OAuth may leak users’ private information. Even worse, an attacker can successfully login 11 vulnerable websites with the compromised OAuth access token. Finally, we propose two countermeasures to thwart DangerNeighbor attacks.