Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure

Abstract

The postMessage mechanism in HTML5 enables different webpage origins to exchange information and communicate. It becomes increasingly popular among the websites that need to import contents from third-party services, such as advertisements and preferable recommendations. Ideally, a receiver function should be locally implemented in the hosting page that needs to receive third-party messages. However, in the real world, the receiver function is usually provided by a third-party service provider, and the function code is imported via the HTML "script" tag so that the imported code is deemed as from the same origin with the hosting page. In the case that a site uses multiple third-party services, all the receiver functions imported by the hosting page can receive messages from any third-party provider. Based on this observation, we identify a new information leakage threat named DangerNeighbor attacks that allow a malicious service eavesdrop messages from other services to the hosting page. We study 5000 popular websites and find that the DangerNeighbor attack is a real threat to the sites adopting the postMessage mechanism. To defeat this attack, we propose an easily deployable approach to protect messages from being eavesdropped by a malicious provider. In this approach, the site owner simply imports a piece of JavaScript code and specifies a mapping table, where messages from different origins are associated with corresponding receiver functions, respectively. The approach, which is transparent to the providers, ensures that a receiver function only receives messages from a specific origin.