One of the reasons I like reading security research papers is those Aha! moments they bring. Here is my recent favorite: a team of university researchers has published their work named “Abusing Cloud-Based Browsers for Fun and Profit”. It surely is worth attention. I mean, how often do you see “for fun” in academic papers?? Let’s take a look at the technical content.

What is a cloud-based browser? Basically it is software as a service that takes an Internet URL, loads and renders the web page content, and presents it to the end user in a lightweight, optimized form. Mainly targeted at mobile users, such services shift all computational heavy-lifting to powerful dedicated servers, resulting in improved user experience in the mobile browser. In other words, you command the cloud service to load the sites you want, and it will do so, including images, Flash and Javascript components.

And here’s the key: if one’s a hacker with bad intentions, she may craft a malicious web page, and direct the cloud-based browser to it. The malicious Javascript will be executed in the browser, but not in the hacker’s one. Aha! Effectively, by manipulating the malicious page, an attacker will be able to limitedly control this remote computing resource residing in the public cloud. And if she is able to automate it and circumvent some of the restrictions imposed by the service, then it becomes possible to build a botnet made of cloud browsers – easy, and free. Such bots will be limited in what they can do, compared to “traditional” botnets – web sessions expire, pages are subject to same origin policy; browser engines utilize security sandboxing. There are CPU, memory and bandwidth quotas. But even with these limited resources the botnet may be good enough to mount a DDoS attack or run a distributed password cracking calculation. Or even compete with Amazon’s Elastic Map Reduce, as researchers have demonstrated in the paper (I recommend reading the full original).

This attack is classified as a form of parasitic computing – exploiting of someone else’s processing resources. Software companies building their cloud services should design them with security in mind and be ready for “pest control” in their infrastructure. Of course no architecture is perfect, especially as we see more researchers getting progressively interested in all about the cloud. Expect more to come.