Vulnerability Analysis of Web Push Implementations in the Wild

Web push is a novel technology, supported by all major browsers, which has gained significant traction in the developer community thanks to its ability to engage users efficiently and anonymously. However, security researchers have yet to properly investigate the possible threats arising from its improper use. In this thesis, we explore the capabilities and features of web push, report common usage patterns found in the wild, including an analysis of the inner working of most third-party providers, and present a security analysis of such implementations. We demonstrate a novel history-sniffing attack abusing a common implementation mistake, and a dangerous use case of the well-known CSRF vulnerability. We conduct and show the results of the first large-scale measurement aimed at identifying the prevalence of this technology and the related vulnerabilities on the web. The result of this measurement is also used to quantify the presence of a common negative pattern where websites aggressively ask the user for permission to use web push. Furthermore, we analyze the complexity of efficiently and correctly implementing personalized web push notifications and we report design issues we found on Twitter. We propose a theoretical system that corrects those mistakes and better handles all scenarios. Finally, we present some straightforward countermeasures and good practices to effectively fix the reported vulnerabilities and make the technology safer. Overall this work is intended to remark on the dangers of developing and implementing new technology without considering the security implications and to shine a light on some of the vulnerabilities present in implementations in the wild, possibly leading to a greater interest of the security community and further research on this and related subjects.