Attacking Browser Sandbox: Live Persistently and Prosperously

Presented at Black Hat Asia 2019, March 29, 2019, 10:15 a.m. (60 minutes)

The Sandbox technique has been widely adopted in almost all web browsers and is proven effective for attack mitigation. With the consistent increase of new features in sandbox policy, it has become almost too much of an effort for attackers to exploit. In this presentation, we will discuss how to stay and attack sandbox persistently, even permanently, and how to conduct many unexpected fancy attacks without breaking sandbox's policies.

First, we propose a new attack vector and demonstrate it in real world -- living in sandbox persistently even permanently. We found that evil codes in sandbox can survive after the tab closing by some tricks. Additionally, we researched the mechanism of browser cache, and succeeded in gaining persistence even after browser or device restart. To achieve a permanent attack, we proposed a mind-blowing attack vector called "Clone Attack", through which attackers can clone victims' accounts remotely to achieve long-term control by exploiting the cross-domain vulnerabilities of misconfigured webview.

Surprisingly, we found that many evil things can still be conducted without breaking sandbox but beyond its expectation, such as Credentials Stealing, Lateral Movement and even Side Channel Attack. We did comprehensive research about various sandboxes and summarized all the features, attack vectors and what we can do inside sandboxes of both standalone browsers such as Chrome, Edge, Firefox and Webview in Android, iOS, etc.

By combining these parts, we confirm that many fancy attacks can still be accomplished inside the sandbox and it is difficult, even impossible, to prevent them entirely. Sandbox is the best choice but we should be aware of that it is not the silver bullet for your security.


  • Yongke Wang - Security Researcher, Tencent Security Xuanwu Lab
    Yongke Wang is a security researcher from Tencent's Xuanwu Lab. He focuses on Android security, he and his partner have found an attack method, named "APP Clone Attack", through which they can attack tens of apps remotely. He is also an Android bug hunter, he has got nearly 20 CVEs since 2016.
  • Huiming Liu - Security Researcher, Tencent Security Xuanwu Lab
    Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Huiming has spoken at several security conferences including CanSecWest and BlackHat Asia.
  • Bin Ma - , Tencent
    Bin Ma is a security researcher in Xuanwu Lab of Tencent. His research focus on system security and application security especially on mobile platform and he has found many popular Apps which affected by Clone Vulnerability. Additionally, Bin received media coverage widely and, some of his research has been accepted by conferences including RAID, IEEE S&P earlier. He is also interested in reverse engineering and browser security.


Similar Presentations: