Researchers show cloud server exploit using mobile browsers

University researchers have found a way to exploit cloud-based browsers, allowing them to then use the underlying server cluster to perform large-scale computer tasks.

The exploit could enable a cybercriminal to anonymously run such heavily computational chores as password or digital certificate cracking, said William Enck, an assistant professor of computer science at North Carolina State University (NCSU). Enck worked on the research with scientists from NCSU and the University of Oregon.

"Because the person getting the bill for that computation is really the cloud browser provider, it gives those using the resources anonymously for other purposes an added advantage," Enck said.

Cloud browsers run on server clusters and act as an interface to smartphones and other mobile devices with limited computing power. The browser enables computing to be done on the servers, delivering only the Web page to the device.

[See also: Browser security 'critical' to mobile protection, says Forrester]

What Enck and the other researchers did was take advantage of a design weakness that does not limit the number of requests made to the browser. For the proof of concept, the researchers reversed engineered the Puffin browser to determine the protocol it uses. They then created their own interface to make Web page requests.

The scientists performed standard computational functions using data packets that were 1MB, 10MB and 100MB. The packets could have been much larger. The computations were done through the use of MapReduce, a Google-developed programming model for processing large data sets.

"What we were able to do was chain together a bunch of requests to make a larger computation," Enck said.

There are ways to fix the problem. Instead of allowing anyone to make unlimited requests of the underlying server cluster, browser providers should require authentication.

"Instead of allowing anyone on the Internet to make requests of their servers, end users should have accounts," Enck said. "You would then be able to notice when one account, for example, is requesting way more pages than an actual human would ever do."

The team tested its work successfully against several other browsers, including Opera Mini, Amazon Silk on the Kindle Fire tablet and Cloud Browse.

The researchers plan to present a paper on their work on Dec. 6 at the Annual Computer Security Applications Conference in Orlando, Fla.

Cloud security for mobile devices remains a work in progress for vendors and users. At the Cloud Security Alliance summit this year, the organization announced initiatives that included examining ways to better secure mobile devices through cloud computing and looking at ways to drive more security innovation.

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Tags cloud securitymobile securitysoftwareapplicationsData Protection | Wireless

Show Comments