This page is designed to test the lazy loading attack. You can think of this as an average blog site with a scroll component. Scroll down slowly to see the images load.

Note that this is just a proof of concept, and many variables can be tweaked to make the attack more effective:

• Image size
• Image count
• Loading boundary distance
• The leader batch duration

Attack Pros

1. This attack does not require any script. All scripts present in this demo are strictly to help visualize the attack: One script connects a service worker to act like the adversary server, and other scripts helps with visualizing the attack parameters for the viewer.
2. This attack can be stealthy. Click this button to hide/show the attack boxes: Toggle Stealth We make the attack boxes invisible by lowering the opacity and allowing no events to pass through. This way, the attack can be hidden from the user.
3. The resources for the blocked URLs do not necessarily need to exist or load correctly.

Attack Cons

1. If the attack parameters are not well-tuned, the attack can be sensitive to the user's scrolling speed. We implement a simple time-window to distinguish between the blocked signals and the unblocked signals. However, more advanced attacks can perform a statistical test on the timings of the image requests to determine in which group they are.
2. Some resources might take some time to load which can slightly shift the signal element up. For this attack to work, the blocked resources should be fast to load. If not, the page should block scrolling until all resources are loaded.

Keep scrolling to see the images load.

Abit more scrolling...

Almost there, you can do it...