Researchers Exploit Cloud Browsers to do Anonymous, Large-Scale Computing

Researchers from two U.S. universities have created a way to anonymously use cloud-based Web browsers to perform large-scale computing tasks – a feat that also demonstrates how hackers might secretly harness massive computing power to launch attacks.

Researchers from two U.S. universities have created a way to anonymously use cloud-based Web browsers to perform large-scale computing tasks – a feat that also demonstrates how hackers might secretly harness massive computing power to launch attacks.

Using the MapReduce technique developed by Google to facilitate large-scale computations, researchers at North Carolina State University and the University of Oregon explored the computation and memory limits of four cloud browsers. They specifically focused on the viability of the MapReduce BMR architecture by implementing a client based on a reverse engineering of the Puffin cloud browser.

The team tested three canonical MapReduce applications — word count, distributed grep, and distributed sort — and determined the cloud browsers could be hijacked to run arbitrary free computing on a large scale.

Part of the testing involved storing large packets of data up to 100 MB in size among cloud browsers using URL-shortening sites, such as bit.ly, to pass resulting links between various nodes, according to a published report. They were then able to essentially trick the browsers and cloud service providers into doing different computations for them.

“It could have been much larger,but we did not want to be an undue burden on any of the free services we were using,” Dr. William Enck, an NC State assistant professor of computer science, said in a prepared statement.

“We’ve shown that this can be done,” he added. “And one of the broader ramifications of this is that it could be done anonymously. For instance, a third party could easily abuse these systems, taking the free computational power and using it to crack passwords.” Depending on the scale of the surreptitious job, the service providers may not even notice the siphoning is underway.

Enck added that one way to mitigate such a risk would be for cloud providers to require user accounts and establish parameters for usage.

The exploit is detailed in a paper, “Abusing Cloud-Based Browsers for Fun and Profit,” being presented next week at the Computer Security Applications Conference in Orlando, Fla.

 

Suggested articles

The Changing Face of Carbanak

Carbanak has moved away from its exclusive focus on financial services, branching out to attacks against hospitality and retail.