Computer scientists have shown that the functionality many websites expose to developers—to let them build powerful Web applications—can also be combined in potentially nefarious ways.
A team from the University of California, San Diego, used application programming interfaces (APIs) from Google and Facebook to create a system that would let a person browse the Web in anonymity. The researchers, who will present the work at this week’s Usenix Security Conference in Bellevue, Washington, say such a service could potentially allow cyber crooks to cover their tracks.
“Our intention is to make the services acknowledge this problem,” says Jiaqi Zhang, a PhD student in computer science at UCSD and a member of the team. “We hope that when they see our work, they will try to do something to defend their services so that they will not suffer from this and others won’t suffer from this.”
Other researchers have shown how an API can be used in unintended ways, for example to turn a Gmail account into an online hard drive. But the UCSD researchers are the first to combine multiple services in this way.
The researchers’ anonymizing service, called CloudProxy, uses Google services for storing Web content—four Google Docs accounts each containing 10 spreadsheets were used to cache ASCII data from websites. Non-ASCII content was stored using another Google service. They also used a Facebook Web service to format their Web requests correctly, and Google’s URL shortening service to create requests that could easily be fed into the other Web services.
The researchers tested the service by loading a variety of content from various websites and then using a network capture program, WireShark, to confirm that no identifying information could be gleaned from the requests.
Mike Geide, senior security researcher for Web-security provider Zscaler, says the technique could be particularly pernicious because many Web security technologies depend on identifying bad websites and blocking them. No one would block traffic from Google or Facebook, he notes.
“What you are asking for at the end of the day is to determine the intent of the activity,” he says. “Google has to talk to Facebook, because that is how the Web works. So how do you determine the intent of those requests?”
Granting Internet users anonymity is only one possible scenario. UCSD’s Zhang adds that Google, Facebook, and other Web services could greatly amplify the impact of an attack, perhaps helping to knock a target website or computer server offline in a denial-of-service attack. “Google has a lot of resources and bandwidth, so if a hacker can use a Google service, they don’t have to build a zombie network, they can just use Google to do a denial-of-service attack,” Zhang says.
However, Mark O’Neill, chief technology officer of cloud-security provider Vordel, says Web service providers should be able to put defenses in place to make their APIs harder to abuse. By looking at patterns of usage, he says, a service could detect users trying to exploit APIs in new ways.
How AI is reinventing what computers are
Three key ways artificial intelligence is changing what it means to compute.
These weird virtual creatures evolve their bodies to solve problems
They show how intelligence and body plans are closely linked—and could unlock AI for robots.
A horrifying new AI app swaps women into porn videos with a click
Deepfake researchers have long feared the day this would arrive.
Surgeons have successfully tested a pig’s kidney in a human patient
The test, in a brain-dead patient, was very short but represents a milestone in the long quest to use animal organs in human transplants.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.