Computer scientists have shown that the functionality many websites expose to developers—to let them build powerful Web applications—can also be combined in potentially nefarious ways.
A team from the University of California, San Diego, used application programming interfaces (APIs) from Google and Facebook to create a system that would let a person browse the Web in anonymity. The researchers, who will present the work at this week’s Usenix Security Conference in Bellevue, Washington, say such a service could potentially allow cyber crooks to cover their tracks.
“Our intention is to make the services acknowledge this problem,” says Jiaqi Zhang, a PhD student in computer science at UCSD and a member of the team. “We hope that when they see our work, they will try to do something to defend their services so that they will not suffer from this and others won’t suffer from this.”
Other researchers have shown how an API can be used in unintended ways, for example to turn a Gmail account into an online hard drive. But the UCSD researchers are the first to combine multiple services in this way.
The researchers’ anonymizing service, called CloudProxy, uses Google services for storing Web content—four Google Docs accounts each containing 10 spreadsheets were used to cache ASCII data from websites. Non-ASCII content was stored using another Google service. They also used a Facebook Web service to format their Web requests correctly, and Google’s URL shortening service to create requests that could easily be fed into the other Web services.
The researchers tested the service by loading a variety of content from various websites and then using a network capture program, WireShark, to confirm that no identifying information could be gleaned from the requests.
Mike Geide, senior security researcher for Web-security provider Zscaler, says the technique could be particularly pernicious because many Web security technologies depend on identifying bad websites and blocking them. No one would block traffic from Google or Facebook, he notes.
“What you are asking for at the end of the day is to determine the intent of the activity,” he says. “Google has to talk to Facebook, because that is how the Web works. So how do you determine the intent of those requests?”
Granting Internet users anonymity is only one possible scenario. UCSD’s Zhang adds that Google, Facebook, and other Web services could greatly amplify the impact of an attack, perhaps helping to knock a target website or computer server offline in a denial-of-service attack. “Google has a lot of resources and bandwidth, so if a hacker can use a Google service, they don’t have to build a zombie network, they can just use Google to do a denial-of-service attack,” Zhang says.
However, Mark O’Neill, chief technology officer of cloud-security provider Vordel, says Web service providers should be able to put defenses in place to make their APIs harder to abuse. By looking at patterns of usage, he says, a service could detect users trying to exploit APIs in new ways.
Embracing CX in the metaverse
More than just meeting customers where they are, the metaverse offers opportunities to transform customer experience.
Identity protection is key to metaverse innovation
As immersive experiences in the metaverse become more sophisticated, so does the threat landscape.
The modern enterprise imaging and data value chain
For both patients and providers, intelligent, interoperable, and open workflow solutions will make all the difference.
Scientists have created synthetic mouse embryos with developed brains
The stem-cell-derived embryos could shed new light on the earliest stages of human pregnancy.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.