Computer scientists have shown that the functionality many websites expose to developers—to let them build powerful Web applications—can also be combined in potentially nefarious ways.

A team from the University of California, San Diego, used application programming interfaces (APIs) from Google and Facebook to create a system that would let a person browse the Web in anonymity. The researchers, who will present the work at this week’s Usenix Security Conference in Bellevue, Washington, say such a service could potentially allow cyber crooks to cover their tracks.

“Our intention is to make the services acknowledge this problem,” says Jiaqi Zhang, a PhD student in computer science at UCSD and a member of the team. “We hope that when they see our work, they will try to do something to defend their services so that they will not suffer from this and others won’t suffer from this.”

Other researchers have shown how an API can be used in unintended ways, for example to turn a Gmail account into an online hard drive. But the UCSD researchers are the first to combine multiple services in this way.

The researchers’ anonymizing service, called CloudProxy, uses Google services for storing Web content—four Google Docs accounts each containing 10 spreadsheets were used to cache ASCII data from websites. Non-ASCII content was stored using another Google service. They also used a Facebook Web service to format their Web requests correctly, and Google’s URL shortening service to create requests that could easily be fed into the other Web services.

The researchers tested the service by loading a variety of content from various websites and then using a network capture program, WireShark, to confirm that no identifying information could be gleaned from the requests.

Mike Geide, senior security researcher for Web-security provider Zscaler, says the technique could be particularly pernicious because many Web security technologies depend on identifying bad websites and blocking them. No one would block traffic from Google or Facebook, he notes.

“What you are asking for at the end of the day is to determine the intent of the activity,” he says. “Google has to talk to Facebook, because that is how the Web works. So how do you determine the intent of those requests?”

Granting Internet users anonymity is only one possible scenario. UCSD’s Zhang adds that Google, Facebook, and other Web services could greatly amplify the impact of an attack, perhaps helping to knock a target website or computer server offline in a denial-of-service attack. “Google has a lot of resources and bandwidth, so if a hacker can use a Google service, they don’t have to build a zombie network, they can just use Google to do a denial-of-service attack,” Zhang says.

However, Mark O’Neill, chief technology officer of cloud-security provider Vordel, says Web service providers should be able to put defenses in place to make their APIs harder to abuse. By looking at patterns of usage, he says, a service could detect users trying to exploit APIs in new ways.