LAS VEGAS—Every day millions of ads are displayed to tens of millions of users across the Web. According to a pair of WhiteHat Security researchers speaking at the Black Hat security conference here, those ads could be the gateway to enslaving your browser into a botnet army.
Perhaps even more disturbing is the fact that WhiteHat's browser botnet attack isn't technically about disclosing a vulnerability. Rather, it's about abusing functionality that is part of the way the Internet works today.
"This is just how the Internet works," Johanson said. "A Web browser can go grab an image that sits on a third-party site and the source of the image doesn't even matter."
In Johanson's view, the ad code issue isn't an issue of avoiding certain sites either, as he found that he was able to get the ads running on common legitimate Websites.
In terms of fixing the problem, browser vendors might be part of the solution. Johanson said that WhiteHat has already opened up lines of conversation with Google and Mozilla.
So what should users do today to protect themselves?
There aren't too many options, but there are a few. Johanson suggests the browser users make use of browser extensions to control what's running. Two tools in particular are NoScript
and Request Policy
, which explicitly ask the user if they want to enable a script to run and make an external site request.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.