Skip to Content
MIT Technology Review
Sign in
Uncategorized

Hackers Struggle with Browser Compatibility

Hackers and legitimate developers alike complain about compatibility issues.
February 23, 2009

While attending the Black Hat DC computer-security conference in Washington, DC, this week, I got the opportunity to talk with Matthew Flick (principal researcher at FYRM Associates) and Jeff Yestrumskas (senior manager of information security at Cvent) about a “cross-site-scripting anonymous browser” they have created.

The tool hijacks a legitimate Web-browsing session and uses it to collect material for the attacker’s Web-browsing session. The idea is that the attacker can mask his identity behind a legion of random, distributed requests.

Other tools do a similar job. For example, Tor is a very sophisticated tool for protecting your identity while browsing. It uses bandwidth and computing resources donated by volunteers to create a circuitous route between the user and the site that she’s browsing. Flick and Yestrumskas freely admit that their tool is no replacement for Tor, but they were fascinated by the idea of building a tool that protects anonymity using unwilling participants instead of volunteers.

What I found most interesting was listening to them describe the technical difficulties that they had to overcome in order to put together a working demo. Their tool relies on cross-site scripting, which is a vulnerability common to Web applications that allows an attacker to inject his own code into Web pages. When other users view the compromised page, they trigger the code, which may do things like try to steal passwords. In the case of Flick and Yestrumskas, that code simply instructs the user’s browser to perform certain tasks on behalf of the attacker.

It turns out that one of the biggest issues they had was browser compatibility. Yestrumskas told me that the two had working code running on Safari, but that, as he tested it and made a few tweaks, for an unexplained reason, the attack just stopped working. Yestrumskas and Flick relied on forum posts by a lot of legitimate Web developers to get key advice to get their tool working. A lot of times, Yestrumskas said, legitimate developers are essentially hacking the browser without realizing what they’re doing (or the security implications).

I find it interesting that we’re stretching the capabilities of browsers so much that legitimate work being done by the builders of Web applications can look a lot like that of hackers working up a prototype for a malicious attack.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.