Skip to Content
Uncategorized

A Menacing Facebook-Google Mashup

Researchers show that different Web programming interfaces can be combined to cloak online activity.
August 7, 2012

Computer scientists have shown that the functionality many websites expose to developers—to let them build powerful Web applications—can also be combined in potentially nefarious ways.

A team from the University of California, San Diego, used application programming interfaces (APIs) from Google and Facebook to create a system that would let a person browse the Web in anonymity. The researchers, who will present the work at this week’s Usenix Security Conference in Bellevue, Washington, say such a service could potentially allow cyber crooks to cover their tracks.

“Our intention is to make the services acknowledge this problem,” says Jiaqi Zhang, a PhD student in computer science at UCSD and a member of the team. “We hope that when they see our work, they will try to do something to defend their services so that they will not suffer from this and others won’t suffer from this.”

Other researchers have shown how an API can be used in unintended ways, for example to turn a Gmail account into an online hard drive. But the UCSD researchers are the first to combine multiple services in this way.

The researchers’ anonymizing service, called CloudProxy, uses Google services for storing Web content—four Google Docs accounts each containing 10 spreadsheets were used to cache ASCII data from websites. Non-ASCII content was stored using another Google service. They also used a Facebook Web service to format their Web requests correctly, and Google’s URL shortening service to create requests that could easily be fed into the other Web services.

The researchers tested the service by loading a variety of content from various websites and then using a network capture program, WireShark, to confirm that no identifying information could be gleaned from the requests.

Mike Geide, senior security researcher for Web-security provider Zscaler, says the technique could be particularly pernicious because many Web security technologies depend on identifying bad websites and blocking them. No one would block traffic from Google or Facebook, he notes.

“What you are asking for at the end of the day is to determine the intent of the activity,” he says. “Google has to talk to Facebook, because that is how the Web works. So how do you determine the intent of those requests?”

Granting Internet users anonymity is only one possible scenario. UCSD’s Zhang adds that Google, Facebook, and other Web services could greatly amplify the impact of an attack, perhaps helping to knock a target website or computer server offline in a denial-of-service attack. “Google has a lot of resources and bandwidth, so if a hacker can use a Google service, they don’t have to build a zombie network, they can just use Google to do a denial-of-service attack,” Zhang says.

However, Mark O’Neill, chief technology officer of cloud-security provider Vordel, says Web service providers should be able to put defenses in place to make their APIs harder to abuse. By looking at patterns of usage, he says, a service could detect users trying to exploit APIs in new ways.

Keep Reading

Most Popular

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

pig kidney transplant surgery
pig kidney transplant surgery

Surgeons have successfully tested a pig’s kidney in a human patient

The test, in a brain-dead patient, was very short but represents a milestone in the long quest to use animal organs in human transplants.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.