New research highlights flaws in cloud-based browsers

News Rene Millman Nov 29, 2012

Vulnerability could be used by criminals to steal cloud computing power.

Researchers have identified a way hackers could use a vulnerability in cloud-based web browsers to steal cloud computing resources.

The exploit was unmasked by scientists from North Carolina State University and the University of Oregon in the US. the flaw centres on cloud browsers, which create a web interface in the cloud so that computing is done there rather than on a user’s machine. This is particularly useful for mobile devices, such as smartphones, which have limited computing power.

Because these cloud browsers are designed to perform complex functions, the researchers wanted to see if they could be used to perform a series of large-scale computations that had nothing to do with browsing. Specifically, the researchers wanted to determine if they could perform those functions using the “MapReduce” technique developed by Google, which facilitates coordinated computation involving parallel efforts by multiple machines.

The research team knew that coordinating any new series of computations would entail passing large packets of data between different nodes, or cloud browsers. To address this challenge, researchers stored data packets on bit.ly and other URL-shortening sites, and then passed the resulting “links” between various nodes.

Using this technique, the researchers were able to perform standard computation functions using data packets that were 1, 10 and 100 megabytes in size. “It could have been much larger,” said Dr. William Enck, an assistant professor of computer science at NC State and co-author of a paper describing the research., “but we did not want to be an undue burden on any of the free services we were using.”

“We’ve shown that this can be done,” said Enck. “And one of the broader ramifications of this is that it could be done anonymously. For instance, a third party could easily abuse these systems, taking the free computational power and using it to crack passwords.”

However, Enck said cloud browsers can protect themselves to some extent by requiring users to create accounts – and then putting limits on how those accounts are used. This would make it easier to detect potential problems.

A paper outlining the techniques used to exploit cloud-based browsers will be presented at the  2012 Annual Computer Security Applications Conference in Orlando on 6th December.