Original URL: http://www.theregister.co.uk/2012/11/30/cloud_based_web_browser_exploits/

Your smartphone browser: A ZOMBIE in password-crunching botnet

It could happen: Comp sci boffins on how to abuse cloud-based web browsers

By John Leyden

Posted in Security, 30th November 2012 17:32 GMT

Computer scientists in the US have discovered a potential means to abuse cloud-based web browsers.

Cloud-based web browsers such as Amazon Silk on the Kindle Fire feature a split architecture that means some processing associated with rendering web-pages is offloaded onto server farms in the cloud. Some smartphone browsers, particularly Opera Mini, adopt a similar model, as does web browsing from thin clients running Citrix. This is a different architecture from conventional desktop browsers such as Chrome, IE or Safari on desktop PCs and tablets.

However security researchers from North Carolina State University and the University of Oregon have found a way to exploit "cloud browser" services, using the Puffin and Cloud Browse apps that are available for Android and iOS.

Cloud browsers are designed to perform complex functions, so the researchers investigated whether they could be used to perform number-crunching functions that had nothing to do with browsing. Specifically, the researchers wanted to determine if they could perform those functions using the "MapReduce" technique developed by Google, which facilitates parallel computing.

Making this work would have to involve passing large packets of data between different nodes, a potential stumbling block. However by using bit.ly and other URL-shortening sites, and then passing the resulting "links" between various nodes, the compsec boffins were able to get around this problem.

The researchers were able to perform standard computation functions using data packets that were one, 10 and 100 megabytes in size. "They could have been much larger," explained Dr William Enck, an assistant professor of computer science at NC State, "but we did not want to be an undue burden on any of the free services we were using."

This sort of number-crunching power could be applied to benign protects such as SETI but could equally be applied to more potentially problematic schemes, such as password-cracking.

"We’ve shown that this can be done," Enck adds. "And one of the broader ramifications of this is that it could be done anonymously. For instance, a third party could easily abuse these systems, taking the free computational power and us[ing] it to crack passwords."

Cloud browsers can protect themselves to some extent by requiring users to create accounts – and then putting limits on how those accounts are used. This would make it easier to detect potential problems.

Enck said that malware need not necessarily be involved in all this.

"Our proof-of-concept framework does not require the users doing anything," he told El Reg. "Instead, we reverse-engineer the protocol that is used between the client and the cloud browser server.

"We can then start new rendering jobs from any computer that we already have control of. There is no need for it to be a smartphone or mobile device," he added.

A paper (abstract below) by the researchers, Abusing Cloud-Based Browsers for Fun and Profit, is due to be be presented at the 2012 Annual Computer Security Applications Conference in Orlando, Florida on 6 December.

Cloud services have become a cheap and popular means of computing. They allow users to synchronize data between devices and relieve low-powered devices from heavy computations. In response to the surge of smartphones and mobile devices, several cloud-based web browsers have become commercially available.

These "cloud browsers" assemble and render web pages within the cloud, executing JavaScript code for the mobile client.

This paper explores how the computational abilities of cloud browsers may be exploited through a Browser MapReduce (BMR) architecture for executing large, parallel tasks. We explore the computation and memory limits of four cloud browsers, and demonstrate the viability of BMR by implementing a client based on a reverse engineering of the Puffin cloud browser.

We implement and test three canonical MapReduce applications (word count, distributed grep, and distributed sort). While we perform experiments on relatively small amounts of data (100MB) for ethical considerations, our results strongly suggest that current cloud browsers are a viable source of arbitrary free computing at large scale.

The paper was co-authored by Vasant Tendulkar and Ashwin Shashidharan, graduate students at North Carolina State, and Joe Pletcher, Ryan Snyder and Dr Kevin Butler, of the University of Oregon. The research project was supported by the National Science Foundation and the US Army Research Office. ®