If you still think webmail is boring, let me tell you about Roundcube.
One morning, someone logs into their inbox. They click an invoice.
It looks routine. Behind the scenes, nothing is routine.
The browser loads a tiny script.
No download.
No popup.
Just a whisper.
That script plants a Service Worker. Think of it like a silent parasite living in your browser. It doesn’t care what tab you’re on.
It listens.
It waits.
And when you type your password again, maybe days later, it catches it.
This is not theoretical.
CERT Polska just reported it. State backed crew. UNC1151.
Real attack. Real payload. Real inboxes.
The scary part isn’t that this happened.
It’s how quietly it can happen again.
Because the web is full of tools that were never meant to be zero trust. They assume the browser is safe. The session is clean. The user is in control.
But once a Service Worker gets in, it doesn’t need admin rights. It doesn’t need persistence at the OS level. It doesn’t even need to ask. It just stays.
I’m not here to tell you to patch your Roundcube. I hope you already did.
I’m here to remind you the browser is the new endpoint.
And every inbox is now a threat surface.
If you’re building, shipping, or selling anything web based, start thinking like the attacker.
Because they’re already one click ahead.
Leave a Reply