We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Erica Naone

Hackers Struggle with Browser Compatibility

Hackers and legitimate developers alike complain about compatibility issues.

  • February 23, 2009

While attending the Black Hat DC computer-security conference in Washington, DC, this week, I got the opportunity to talk with Matthew Flick (principal researcher at FYRM Associates) and Jeff Yestrumskas (senior manager of information security at Cvent) about a “cross-site-scripting anonymous browser” they have created.

The tool hijacks a legitimate Web-browsing session and uses it to collect material for the attacker’s Web-browsing session. The idea is that the attacker can mask his identity behind a legion of random, distributed requests.

Other tools do a similar job. For example, Tor is a very sophisticated tool for protecting your identity while browsing. It uses bandwidth and computing resources donated by volunteers to create a circuitous route between the user and the site that she’s browsing. Flick and Yestrumskas freely admit that their tool is no replacement for Tor, but they were fascinated by the idea of building a tool that protects anonymity using unwilling participants instead of volunteers.

What I found most interesting was listening to them describe the technical difficulties that they had to overcome in order to put together a working demo. Their tool relies on cross-site scripting, which is a vulnerability common to Web applications that allows an attacker to inject his own code into Web pages. When other users view the compromised page, they trigger the code, which may do things like try to steal passwords. In the case of Flick and Yestrumskas, that code simply instructs the user’s browser to perform certain tasks on behalf of the attacker.

It turns out that one of the biggest issues they had was browser compatibility. Yestrumskas told me that the two had working code running on Safari, but that, as he tested it and made a few tweaks, for an unexplained reason, the attack just stopped working. Yestrumskas and Flick relied on forum posts by a lot of legitimate Web developers to get key advice to get their tool working. A lot of times, Yestrumskas said, legitimate developers are essentially hacking the browser without realizing what they’re doing (or the security implications).

I find it interesting that we’re stretching the capabilities of browsers so much that legitimate work being done by the builders of Web applications can look a lot like that of hackers working up a prototype for a malicious attack.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.
Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.