Feeds

Your smartphone browser: A ZOMBIE in password-crunching botnet

It could happen: Comp sci boffins on how to abuse cloud-based web browsers

Security for virtualized datacentres

Computer scientists in the US have discovered a potential means to abuse cloud-based web browsers.

Cloud-based web browsers such as Amazon Silk on the Kindle Fire feature a split architecture that means some processing associated with rendering web-pages is offloaded onto server farms in the cloud. Some smartphone browsers, particularly Opera Mini, adopt a similar model, as does web browsing from thin clients running Citrix. This is a different architecture from conventional desktop browsers such as Chrome, IE or Safari on desktop PCs and tablets.

However security researchers from North Carolina State University and the University of Oregon have found a way to exploit "cloud browser" services, using the Puffin and Cloud Browse apps that are available for Android and iOS.

Cloud browsers are designed to perform complex functions, so the researchers investigated whether they could be used to perform number-crunching functions that had nothing to do with browsing. Specifically, the researchers wanted to determine if they could perform those functions using the "MapReduce" technique developed by Google, which facilitates parallel computing.

Making this work would have to involve passing large packets of data between different nodes, a potential stumbling block. However by using bit.ly and other URL-shortening sites, and then passing the resulting "links" between various nodes, the compsec boffins were able to get around this problem.

The researchers were able to perform standard computation functions using data packets that were one, 10 and 100 megabytes in size. "They could have been much larger," explained Dr William Enck, an assistant professor of computer science at NC State, "but we did not want to be an undue burden on any of the free services we were using."

This sort of number-crunching power could be applied to benign protects such as SETI but could equally be applied to more potentially problematic schemes, such as password-cracking.

"We’ve shown that this can be done," Enck adds. "And one of the broader ramifications of this is that it could be done anonymously. For instance, a third party could easily abuse these systems, taking the free computational power and us[ing] it to crack passwords."

Cloud browsers can protect themselves to some extent by requiring users to create accounts – and then putting limits on how those accounts are used. This would make it easier to detect potential problems.

Enck said that malware need not necessarily be involved in all this.

"Our proof-of-concept framework does not require the users doing anything," he told El Reg. "Instead, we reverse-engineer the protocol that is used between the client and the cloud browser server.

"We can then start new rendering jobs from any computer that we already have control of. There is no need for it to be a smartphone or mobile device," he added.

A paper (abstract below) by the researchers, Abusing Cloud-Based Browsers for Fun and Profit, is due to be be presented at the 2012 Annual Computer Security Applications Conference in Orlando, Florida on 6 December.

Cloud services have become a cheap and popular means of computing. They allow users to synchronize data between devices and relieve low-powered devices from heavy computations. In response to the surge of smartphones and mobile devices, several cloud-based web browsers have become commercially available.

These "cloud browsers" assemble and render web pages within the cloud, executing JavaScript code for the mobile client.

This paper explores how the computational abilities of cloud browsers may be exploited through a Browser MapReduce (BMR) architecture for executing large, parallel tasks. We explore the computation and memory limits of four cloud browsers, and demonstrate the viability of BMR by implementing a client based on a reverse engineering of the Puffin cloud browser.

We implement and test three canonical MapReduce applications (word count, distributed grep, and distributed sort). While we perform experiments on relatively small amounts of data (100MB) for ethical considerations, our results strongly suggest that current cloud browsers are a viable source of arbitrary free computing at large scale.

The paper was co-authored by Vasant Tendulkar and Ashwin Shashidharan, graduate students at North Carolina State, and Joe Pletcher, Ryan Snyder and Dr Kevin Butler, of the University of Oregon. The research project was supported by the National Science Foundation and the US Army Research Office. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.