SMBs beware: Researchers uncover cloud browser vulnerability

The result is the ability to perform large-scale computing tasks anonymously through the browsers themselves – opening a vector to malicious activity.

“We’ve shown that this can be done,” noted William Enck, an assistant professor of computer science at NC State and co-author of the paper. “And one of the broader ramifications of this is that it could be done anonymously. For instance, a third party could easily abuse these systems, taking the free computational power and using it to crack passwords.”

The finding could have potentially far-reaching ramifications. Cloud services have become a cheap and popular means of computing, but they’ve also become widespread in response to the surge of smartphones and mobile devices, researchers noted. The browsers create an interface for computing to be done in the cloud rather than on a user’s machine, saving processing power. That’s particularly useful in mobile devices, where horsepower is limited. Several cloud-based web browsers have thus become commercially available.

“Think of a cloud browser as being just like the browser on your desktop computer, but working entirely in the cloud and providing only the resulting image to your screen,” said Enck.

IBM’s blog for midsized business computing points out that this represents a particular threat to SMBs. “Small and midsize businesses are increasingly turning to the cloud to help improve their IT infrastructure,” writes Marissa Tejada. “For smaller companies, the cloud is a strategic part of day-to-day business applications and commercial web sites. Meanwhile, social networks provide easy and effective collaboration, communication, and customer service.”

But the new research shows that these necessary tools also leave smaller businesses open to a growing list of risks. “Meanwhile, hackers are turning to cloud computing and social media as an easier, cheaper alternative to botnets,” she said. “This way, hackers can access smaller companies as prime accessible, inexpensive targets for their malicious intent.”

Because these cloud browsers are designed to perform complex functions, the researchers wanted to see if they could be used to perform a series of large-scale computations that had nothing to do with browsing, using the MapReduce technique developed by Google. MapReduce facilitates coordinated computation involving parallel efforts by multiple machines.

The research team knew that coordinating any new series of computations would entail passing large packets of data between different nodes, or cloud browsers. To address this challenge, researchers stored data packets on and other URL-shortening sites, and then passed the resulting “links” between various nodes.

Using this technique, the researchers were able to perform standard computation functions using data packets that were 1, 10 and 100 megabytes in size. “It could have been much larger,” Enck says, “but we did not want to be an undue burden on any of the free services we were using.”

That anonymous, large-scale capability could be used with ill intent to perform any number of attacks on cloud browser users. However, Enck says cloud browsers can protect themselves to some extent by requiring users to create accounts – and then putting limits on how those accounts are used. This would make it easier to detect potential problems.

What’s Hot on Infosecurity Magazine?