I've been reading about service workers to use some of its features for my app to be more fast and reliable. While I got excited as I see through the possibilities of service workers and persistant storage enabline webapp to have all native app capabilities, I also had this thought.
What if someone who wants to make a botnet? They just send their website link to some users, that's all, service workers get installed in a number of browsers all across the world. Now the site owner can do many things with this bot net like making a ddos attack, crypto mining etc. I think it might even make it easier for a hacker trying to exploit some browser vulnerability.
Am I missing something?
The web and browser security models have a number of measures in place to prevent or limit abuse.
1) Cross-Origin Resource Sharing (CORS) is a web security feature that limits or makes it difficult for websites/service workers to DDOS attacks on other domains.
2) Service workers have a maximum runtime of five minutes (in Chrome but other browsers should have similar limits). After five minutes the SW will be killed and the user will have to trigger an event before the service worker will be reactivated.
3) Most browsers use Safe Browsing to block access to malicious sites so it would be quick to disable globally.
This all assumes that "They just send their website link to some users" is easy to pull off. Email spam filters are really good these days and SMS is expensive so getting a PWA to a large number of user would be difficult.