Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

While attending the Black Hat DC computer-security conference in Washington, DC, this week, I got the opportunity to talk with Matthew Flick (principal researcher at FYRM Associates) and Jeff Yestrumskas (senior manager of information security at Cvent) about a “cross-site-scripting anonymous browser” they have created.

The tool hijacks a legitimate Web-browsing session and uses it to collect material for the attacker’s Web-browsing session. The idea is that the attacker can mask his identity behind a legion of random, distributed requests.

Other tools do a similar job. For example, Tor is a very sophisticated tool for protecting your identity while browsing. It uses bandwidth and computing resources donated by volunteers to create a circuitous route between the user and the site that she’s browsing. Flick and Yestrumskas freely admit that their tool is no replacement for Tor, but they were fascinated by the idea of building a tool that protects anonymity using unwilling participants instead of volunteers.

What I found most interesting was listening to them describe the technical difficulties that they had to overcome in order to put together a working demo. Their tool relies on cross-site scripting, which is a vulnerability common to Web applications that allows an attacker to inject his own code into Web pages. When other users view the compromised page, they trigger the code, which may do things like try to steal passwords. In the case of Flick and Yestrumskas, that code simply instructs the user’s browser to perform certain tasks on behalf of the attacker.

It turns out that one of the biggest issues they had was browser compatibility. Yestrumskas told me that the two had working code running on Safari, but that, as he tested it and made a few tweaks, for an unexplained reason, the attack just stopped working. Yestrumskas and Flick relied on forum posts by a lot of legitimate Web developers to get key advice to get their tool working. A lot of times, Yestrumskas said, legitimate developers are essentially hacking the browser without realizing what they’re doing (or the security implications).

I find it interesting that we’re stretching the capabilities of browsers so much that legitimate work being done by the builders of Web applications can look a lot like that of hackers working up a prototype for a malicious attack.

2 comments. Share your thoughts »

Tagged: Web, browsers, Black Hat security conference, cross-site scripting

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me