Skip to Content
Uncategorized

A Menacing Facebook-Google Mashup

Researchers show that different Web programming interfaces can be combined to cloak online activity.
August 7, 2012

Computer scientists have shown that the functionality many websites expose to developers—to let them build powerful Web applications—can also be combined in potentially nefarious ways.

A team from the University of California, San Diego, used application programming interfaces (APIs) from Google and Facebook to create a system that would let a person browse the Web in anonymity. The researchers, who will present the work at this week’s Usenix Security Conference in Bellevue, Washington, say such a service could potentially allow cyber crooks to cover their tracks.

“Our intention is to make the services acknowledge this problem,” says Jiaqi Zhang, a PhD student in computer science at UCSD and a member of the team. “We hope that when they see our work, they will try to do something to defend their services so that they will not suffer from this and others won’t suffer from this.”

Other researchers have shown how an API can be used in unintended ways, for example to turn a Gmail account into an online hard drive. But the UCSD researchers are the first to combine multiple services in this way.

The researchers’ anonymizing service, called CloudProxy, uses Google services for storing Web content—four Google Docs accounts each containing 10 spreadsheets were used to cache ASCII data from websites. Non-ASCII content was stored using another Google service. They also used a Facebook Web service to format their Web requests correctly, and Google’s URL shortening service to create requests that could easily be fed into the other Web services.

The researchers tested the service by loading a variety of content from various websites and then using a network capture program, WireShark, to confirm that no identifying information could be gleaned from the requests.

Mike Geide, senior security researcher for Web-security provider Zscaler, says the technique could be particularly pernicious because many Web security technologies depend on identifying bad websites and blocking them. No one would block traffic from Google or Facebook, he notes.

“What you are asking for at the end of the day is to determine the intent of the activity,” he says. “Google has to talk to Facebook, because that is how the Web works. So how do you determine the intent of those requests?”

Granting Internet users anonymity is only one possible scenario. UCSD’s Zhang adds that Google, Facebook, and other Web services could greatly amplify the impact of an attack, perhaps helping to knock a target website or computer server offline in a denial-of-service attack. “Google has a lot of resources and bandwidth, so if a hacker can use a Google service, they don’t have to build a zombie network, they can just use Google to do a denial-of-service attack,” Zhang says.

However, Mark O’Neill, chief technology officer of cloud-security provider Vordel, says Web service providers should be able to put defenses in place to make their APIs harder to abuse. By looking at patterns of usage, he says, a service could detect users trying to exploit APIs in new ways.

Deep Dive

Uncategorized

Our best illustrations of 2022

Our artists’ thought-provoking, playful creations bring our stories to life, often saying more with an image than words ever could.

How CRISPR is making farmed animals bigger, stronger, and healthier

These gene-edited fish, pigs, and other animals could soon be on the menu.

The Download: the Saudi sci-fi megacity, and sleeping babies’ brains

This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. These exclusive satellite images show Saudi Arabia’s sci-fi megacity is well underway In early 2021, Crown Prince Mohammed bin Salman of Saudi Arabia announced The Line: a “civilizational revolution” that would house up…

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.