Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Erica Naone

Hackers Struggle with Browser Compatibility

Hackers and legitimate developers alike complain about compatibility issues.

  • February 23, 2009

While attending the Black Hat DC computer-security conference in Washington, DC, this week, I got the opportunity to talk with Matthew Flick (principal researcher at FYRM Associates) and Jeff Yestrumskas (senior manager of information security at Cvent) about a “cross-site-scripting anonymous browser” they have created.

The tool hijacks a legitimate Web-browsing session and uses it to collect material for the attacker’s Web-browsing session. The idea is that the attacker can mask his identity behind a legion of random, distributed requests.

Other tools do a similar job. For example, Tor is a very sophisticated tool for protecting your identity while browsing. It uses bandwidth and computing resources donated by volunteers to create a circuitous route between the user and the site that she’s browsing. Flick and Yestrumskas freely admit that their tool is no replacement for Tor, but they were fascinated by the idea of building a tool that protects anonymity using unwilling participants instead of volunteers.

What I found most interesting was listening to them describe the technical difficulties that they had to overcome in order to put together a working demo. Their tool relies on cross-site scripting, which is a vulnerability common to Web applications that allows an attacker to inject his own code into Web pages. When other users view the compromised page, they trigger the code, which may do things like try to steal passwords. In the case of Flick and Yestrumskas, that code simply instructs the user’s browser to perform certain tasks on behalf of the attacker.

It turns out that one of the biggest issues they had was browser compatibility. Yestrumskas told me that the two had working code running on Safari, but that, as he tested it and made a few tweaks, for an unexplained reason, the attack just stopped working. Yestrumskas and Flick relied on forum posts by a lot of legitimate Web developers to get key advice to get their tool working. A lot of times, Yestrumskas said, legitimate developers are essentially hacking the browser without realizing what they’re doing (or the security implications).

I find it interesting that we’re stretching the capabilities of browsers so much that legitimate work being done by the builders of Web applications can look a lot like that of hackers working up a prototype for a malicious attack.

Be the leader your company needs. Implement ethical AI.
Join us at EmTech Digital 2019.

Register now
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.