Local Storage on Steroids: Abusing Web Browsers for Hidden Content Storage and Distribution

  • Juan D. Parra RodriguezEmail author
  • Joachim Posegga
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 255)


Analysing security assumptions taken for the WebRTC and postMessage APIs led us to find a novel attack abusing the browsers’ persistent storage capabilities. The presented attack can be executed without the website’s visitor knowledge, and it requires neither browser vulnerabilities nor additional software on the browser’s side. To exemplify this, we study how can an attacker use browsers to create a network for persistent storage and distribution of arbitrary data.

In our proof of concept, the total storage of the network, and therefore the space used within each browser, grows linearly with the number of origins delivering the malicious JavaScript code. Further, data transfers between browsers are not restricted by the Same Origin Policy, which allows for a unified cross-origin browser network, regardless of the origin from which the script executing the functionality is loaded from.

In the course of our work, we assess the feasibility of a real-life deployment of the network by running experiments using Linux containers and browser automation tools. Moreover, we show how security mechanisms against third-party tracking, cross-site scripting and click-jacking can diminish the attack’s impact, or even prevent it.


Web security WebRTC postMessage Browser security Content Security Policy 



This research has been supported by the EU under the H2020 AGILE (Adaptive Gateways for dIverse muLtiple Environments), grant agreement number H2020-688088.


  1. 1.
    Aboukhadijeh, F.: The Joys of HTML5: Introducing the new HTML5 Hard Disk Filler API. Accessed 15 Apr 2018
  2. 2.
    Aboukhadijeh, F.: Webtorrent (2014). Accessed 15 Apr 2018
  3. 3.
    Akhawe, D.: CSP and PostMessage. Accessed 15 Apr 2018
  4. 4.
    Akhawe, D.: Do we want a directive to control postMessage explicit channels outbound?. Accessed 15 Apr 2018
  5. 5.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 290–304. IEEE Computer Society, Washington, DC (2010).
  6. 6.
    Alexa Traffic Ranking and visitor statistics for 7 years. Accessed 15 Apr 2018
  7. 7.
    Antonatos, S., Akritidis, P., Lam, V.T., Anagnostakis, K.G.: Puppetnets: misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12(2), 12 (2008)CrossRefGoogle Scholar
  8. 8.
    Athanasopoulos, E., et al.: Antisocial networks: turning a social network into a botnet. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 146–160. Springer, Heidelberg (2008). Scholar
  9. 9.
    Web Code Weakness allows Data Dump on PCs (2008). Accessed 15 Apr 2018
  10. 10.
    Bogaard, D., Johnson, D., Parody, R.: Browser web storage vulnerability investigation HTML5 localStorage object. In: Proceedings of the International Conference on Security and Management, pp. 1–7, July 2012Google Scholar
  11. 11.
    Clear, enable, and manage cookies in Chrome. Accessed 15 Apr 2018
  12. 12.
    Cimpanu, C.: Cryptojacking Script Found in Live Help Widget, Impacts Around 1,500 Sites. Accessed 25 Nov 2017
  13. 13.
    Clicktale: Web-Aanalytics Benchmark Q2 (2013). Accessed 15 Apr 2018
  14. 14.
    Dias, D.: WebRTC Explorer. Accessed 15 Apr 2018
  15. 15.
    Docker. Accessed 15 Apr 2018
  16. 16.
    Dpkt package. Accessed 15 Apr 2018
  17. 17.
    Englehardt, S., et al.: Cookies that give you away: the surveillance implications of web tracking. In: Proceedings of the 24th International Conference on World Wide Web, WWW 2015, pp. 289–299. International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, Switzerland (2015).
  18. 18.
    Disable third-party cookies in Firefox to stop some types of tracking by advertisers. Accessed 15 Apr 2018
  19. 19.
    Grossman, J., Johansen, M.: Million Browser Botnet. Accessed 15 Jan 2018
  20. 20.
    Hanna, S., Shin, E.C.R., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperor’s new APIs: on the (in) secure usage of new client-side primitives. In: Workshop on Web 2.0 Security and Privacy, W2SP (2010)Google Scholar
  21. 21.
    Hiesey, J., Aboukhadijeh, F., Rajah, A.: PeerCDN (2013). Accessed 15 Apr 2018
  22. 22.
    Hoffman, J.J.: New Jersey Division of Consumer Affairs Obtains Settlement with Developer of Bitcoin-Mining Software Found to Have Accessed New Jersey Computers Without Users’ Knowledge or Consent. Accessed 15 Apr 2018
  23. 23.
    Rosenberg, J.: RFC 5245: Interactive connectivity establishment (ICE): A protocol for network address translator (NAT) traversal for offer/answer protocols. RFC 5245, April 2010. Accessed 15 Apr 2018
  24. 24.
    Kesteren, A.V.: WebRTC RTCDataChannel can be used for exfiltration. Accessed 15 Apr 2018
  25. 25.
    Lekies, S., Johns, M.: Lightweight integrity protection for web storage-driven content caching. In: Workshop on Web 2.0 Security and Privacy, W2SP (2012)Google Scholar
  26. 26.
    Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013, pp. 1193–1204. ACM, New York (2013).
  27. 27.
    Mahy, R., Matthews, P.: RFC5766: Traversal using relays around NAT (TURN): Relay extensions to session traversal utilities for NAT (STUN). RFC 5766, IETF, April 2010.
  28. 28.
    Maunder, M.: WordPress plugin banned for crypto mining. Accessed 15 Jan 2018
  29. 29.
    Meyn, A.J.R., Nurminen, J.K., Probst, C.W.: Browser to browser media streaming with HTML5. Master’s thesis. Aalto University (2012).
  30. 30.
    Mozilla Developer Network (MDN) - Window.postMessage(), April 2015. Accessed 15 Apr 2018
  31. 31.
    Narayanan, A., Jennings, C., Bergkvist, A., Burnett, D.C.: WebRTC 1.0: Real-time Communication Between Browsers. W3C working draft, W3C, September 2013.
  32. 32.
    Nikiforakis, N., et al.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 736–747. ACM, New York (2012).
  33. 33.
    NumPy. Accessed 15 Apr 2018
  34. 34.
    Nurminen, J., Meyn, A., Jalonen, E., Raivio, Y., Marrero, R.G.: P2P media streaming with HTML5 and WebRTC. In: 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 63–64, April 2013.
  35. 35.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iFRAMEs point to us. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 1–15. USENIX Association, Berkeley (2008)Google Scholar
  36. 36.
    Rescorla, E.: IETF-draft: WebRTC Security Architecture, March 2015. Accessed 15 Apr 2018
  37. 37.
    Rhinow, F., Veloso, P.P., Puyelo, C., Barrett, S., Nuallain, E.O.: P2P live video streaming in WebRTC. In: 2014 World Congress on Computer Applications and Information Systems, WCCAIS, pp. 1–6, January 2014.
  38. 38.
    Rosenberg, J., Mahy, R., Matthews, P., Wing, D.: RFC5389: Session traversal utilities for NAT (STUN). RFC 5389, RFC Editor, October 2008.
  39. 39.
    SeleniumHQ: Browser Automation. Accessed 15 Apr 2018
  40. 40.
    Telegraph, T.: YouTube shuts down hidden cryptojacking adverts. Accessed 15 Jan 2018
  41. 41.
    Thomas, K., et al.: Ad injection at scale: assessing deceptive advertisement modifications. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, pp. 151–167. IEEE Computer Society, Washington, DC (2015).
  42. 42.
    Thomson, M.: CSP for WebRTC. Accessed 15 Apr 2018
  43. 43.
    W3CScools: HTML Iframe sandbox Attribute. Accessed 15 Apr 2018
  44. 44.
    Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1376–1387. ACM, New York (2016).
  45. 45.
    West, M.: Content Security Policy Level 3. Accessed 15 Apr 2018
  46. 46.
    West, M.: WebRTC via ‘connect-src’? Accessed 15 Apr 2018
  47. 47.
    Zhang, L., Zhou, F., Mislove, A., Sundaram, R.: Maygh: building a CDN from client web browsers. In: Proceedings of the 8th ACM European Conference on Computer Systems, EuroSys 2013, pp. 281–294. ACM, New York (2013).

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.University of PassauPassauGermany

Personalised recommendations