Skip to Content
Uncategorized

Hackers Struggle with Browser Compatibility

Hackers and legitimate developers alike complain about compatibility issues.
February 23, 2009

While attending the Black Hat DC computer-security conference in Washington, DC, this week, I got the opportunity to talk with Matthew Flick (principal researcher at FYRM Associates) and Jeff Yestrumskas (senior manager of information security at Cvent) about a “cross-site-scripting anonymous browser” they have created.

The tool hijacks a legitimate Web-browsing session and uses it to collect material for the attacker’s Web-browsing session. The idea is that the attacker can mask his identity behind a legion of random, distributed requests.

Other tools do a similar job. For example, Tor is a very sophisticated tool for protecting your identity while browsing. It uses bandwidth and computing resources donated by volunteers to create a circuitous route between the user and the site that she’s browsing. Flick and Yestrumskas freely admit that their tool is no replacement for Tor, but they were fascinated by the idea of building a tool that protects anonymity using unwilling participants instead of volunteers.

What I found most interesting was listening to them describe the technical difficulties that they had to overcome in order to put together a working demo. Their tool relies on cross-site scripting, which is a vulnerability common to Web applications that allows an attacker to inject his own code into Web pages. When other users view the compromised page, they trigger the code, which may do things like try to steal passwords. In the case of Flick and Yestrumskas, that code simply instructs the user’s browser to perform certain tasks on behalf of the attacker.

It turns out that one of the biggest issues they had was browser compatibility. Yestrumskas told me that the two had working code running on Safari, but that, as he tested it and made a few tweaks, for an unexplained reason, the attack just stopped working. Yestrumskas and Flick relied on forum posts by a lot of legitimate Web developers to get key advice to get their tool working. A lot of times, Yestrumskas said, legitimate developers are essentially hacking the browser without realizing what they’re doing (or the security implications).

I find it interesting that we’re stretching the capabilities of browsers so much that legitimate work being done by the builders of Web applications can look a lot like that of hackers working up a prototype for a malicious attack.

Deep Dive

Uncategorized

Our best illustrations of 2022

Our artists’ thought-provoking, playful creations bring our stories to life, often saying more with an image than words ever could.

How CRISPR is making farmed animals bigger, stronger, and healthier

These gene-edited fish, pigs, and other animals could soon be on the menu.

The Download: the Saudi sci-fi megacity, and sleeping babies’ brains

This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. These exclusive satellite images show Saudi Arabia’s sci-fi megacity is well underway In early 2021, Crown Prince Mohammed bin Salman of Saudi Arabia announced The Line: a “civilizational revolution” that would house up…

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.