Technologies like WebAssembly (WASM), WebGPU, and IndexedDB have transformed what browsers can achieve. This evolution has expanded the functionality of browsers, massively evolving the use cases and experiences. However, this increased complexity also brings a significant cybersecurity concern: an enlarged attack surface.
To understand where we are today, let’s take a trip down memory lane.
Remember when you needed Flash Player to view rich multimedia content on websites? Adobe Flash was revolutionary for its time, enabling animations, games, and interactive applications. But, it was also notorious for its security vulnerabilities and frequent updates.
For example, in 2015, the controversial company Hacking Team leak revealed multiple zero-day vulnerabilities in Flash Player that were used to target users across the globe. These exploits allowed attackers to execute arbitrary code on users' machines, leading to potential data theft, malware installation, and more. The advent of HTML5 and JavaScript marked the beginning of the end for Flash, providing more secure and versatile ways to create interactive web content.
Java applets were also plagued with security vulnerabilities. One significant breach occurred in 2012, when a zero-day vulnerability in Java SE 7 was discovered and quickly exploited in the wild. This exploit allowed attackers to bypass security restrictions and execute arbitrary code on the affected systems, leading to widespread malware infections. The cumbersome update process and the rise of more secure and efficient web technologies like HTML5, CSS3, and modern JavaScript frameworks led to the gradual decline of Java applets.
Microsoft Silverlight is another example from 2016. The CVE-2016-0034 vulnerability in Silverlight, found via leaked Hacking Team data. This zero-day exploit, traded by a Russian hacker, could bypass protections in IE and Firefox.
A final example comes from Adobe in 2012, where an exploit was discovered that was capable of compromising the security of computers running Adobe X and XI (Adobe Reader 10 and 11). This vulnerability allowed attackers to sidestep Reader’s sandbox protection.
This is a tale as old as time. With new progress, come new issues.
New browser vulnerabilities:
WASM (WebAssembly)
WASM allows high-performance applications to run in the browser, enabling tasks like 3D rendering and complex computations. This is great for creating more interactive and visually appealing web applications
However, in 2018, researchers demonstrated how WebAssembly could be used to create highly efficient cryptojacking malware that mined cryptocurrency using the victim's CPU resources.
An example is when the CoinHive script, which mines cryptocurrency, was inserted into the BrowseAloud service. This caused the script to run on the computers of thousands of visitors without their knowledge. Because of WebAssembly, the script operated smoothly and secretly, using the visitors' devices to mine cryptocurrency.
In 2021, another vulnerability in WASM was found. It allowed for a stack overflow by manipulating the stack size tracking in the Low-Level Interpreter (LLInt). By crafting a WebAssembly function to perform numerous push operations, an integer overflow was induced, leading to remote code execution. This exploit, demonstrated at Pwn2Own 2021, leveraged memory leaks and a Return-Oriented Programming (ROP) chain to achieve arbitrary code execution. The issue was patched in Safari 14.1.1 (CVE-2021-30734).
WebGPU
WebGPU offers high-level graphics features. It lets developers tap into GPU strength right from the browser. This is great for creating detailed graphics apps and games straight in the browser.
This again, opened a new path for attacks. In 2022, a vulnerability occured when a specially crafted web page triggered a use-after-free condition, potentially allowing an attacker to execute arbitrary code. Cisco Talos coordinated with Google to ensure the issue was patched in Chrome versions 102.0.4956.0 and 99.0.4844.82.
In April of 2024, scientists from Graz University and University of Rennes showed that WebGPU could be attacked. They filled the cache with their own code using JavaScript and WebGPU and they then watched when their data was removed from the cache by being input. This method allowed them to quickly and accurately analyze keystrokes. They could also get keys used for GPU-based AES encryption. This attack could even secretly send data out at speeds up to 10 Kb/s.
IndexedDB
IndexedDB is a low-level API for storing large amounts of structured data, enabling complex offline applications. This technology supports advanced web applications that need to function offline, such as progressive web apps (PWAs).
But again, the increased data storage capability also means more sensitive data could be at risk.
For instance, in 2022, a vulnerability in Safari 15's IndexedDB implementation allowed any website to track a user’s internet activity and potentially reveal their identity. The problem came up because of a rule breach. The rule says that database names should be kept separate, but they were shared across different websites, letting these websites see what other sites were visited in the same browser session.
Apple addressed the issue within a week in the macOS Monterey 12.2 and iOS 15.3 updates.
Can c/side protect you in these cases?
At c/side, we safeguard your sites against harmful or compromised third-party scripts. By placing our script above all others, we proxy them through our detection engine and autonomously filter out any potential problems. You get complete visibility into what the code is doing, including potential threats. Additionally, we often optimize the scripts to run faster.
But can we help against the cases mentioned above?
It goes without saying that detection systems require continuous updates to identify entirely new variations or methods of hiding information. Important to know is that we preserve the requested code, enabling us to provide you with the necessary data to determine what went wrong, regardless of whether we identified the issue or not.
That being said, here’s how we can protect you today from the above mentioned attacks:
WASM (WebAssembly): c/side monitors and controls the execution of third-party scripts. WASM specific monitoring is on the roadmap to be added later and is becoming an increasingly dangerous attack surface.
WebGPU: we can track and analyze script behavior and resource usage, including GPU access patterns, to detect anomalies indicative of side-channel attacks. By identifying suspicious activity before the browser renders the script, c/side can block or flag potentially malicious scripts before they can exploit, also including GPU resources.
IndexedDB: we monitor the full code, which includes any calls to sensitive APIs like IndexedDB.
Other best practices:
-
Regular Updates: Keep all installed tools up to date to ensure you have the latest security patches. Remove any unused scripts.
-
Web Application Firewalls (WAF): Implement WAFs to add an extra layer of security, protecting web applications from a variety of attacks.
-
Educate Users: If possible, train users about the risks of phishing and social engineering attacks, which can lead to compromised security.
-
Reduce 3rd party script: only important those that are crucial and have a clear plan on which pages such scripts should haves access.
-
Employ Multi-Factor Authentication (MFA): Use MFA to add an extra layer of security to user and admin accounts, making unauthorized access more difficult.
-
Content Security Policy (CSP): Implement CSP to prevent cross-site scripting (XSS) attacks by controlling which resources the browser is allowed to load. Remember that CSPs have some significant limitations on their own, which we wrote more about here.
What does the future of the browser look like?
Browsers will continue to evolve. One might half-jokingly argue that everything is turning into a browser, given the trend of mobile apps transforming into Progressive Web Apps (A detailed article on this topic is currently in progress). PWAs will become more seamless, offering a native app-like experience across all devices. Also the further integration of AI and improvements in privacy and online identity will continue to shape our browsers.
Rest assured, we are developing for the future and are continuously improving our services and detection engines to cover a larger area of the client-side security space.
You can get started and secure your site(s) for free, upgrading to access more features as you please. You can monitor our change log to see updates and future potential developments.
If you wish to speak to our support team about any specific issue or concern, you can do so here.