Scientists have devised a browser-based exploit that allows them to carry out large-scale computations on cloud-based services for free, a hack they warn could be used to wage powerful online attacks cheaply and anonymously.
The method, described in a research paper scheduled to be presented at next month's Computer Security Applications Conference, uses the Puffin mobile browser to push computationally intensive jobs onto a cloud-based service that was never intended for such purposes. Normally, Puffin and other so-called cloud-based browsers are used only to accelerate the loading of Web pages on mobile devices by rendering JavaScript, images, and text from disparate sources on a server and only then delivering it to the smartphone or tablet. That's more efficient than relying on mobile devices with limited computing power to render such content themselves.
Now, computer scientists at North Carolina State University and the University of Oregon have demonstrated a way to abuse such services. By creating a customized browser that mimics Puffin, they were able to trick the cloud-based servers it relies on to count words, search for text strings, and carry out other tasks the service was never designed for—free and semi-anonymously. Out of ethical considerations, they limited both the scope and workload imposed on the cloud resources, but they warned less-scrupulous attackers could use similar techniques to perform powerful denial-of-service attacks and password cracks.