Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Cybersecurity
    • Cybersecurity

    Black Hat: Ads Could Provide a Vehicle for Enslaving Your Browser

    Written by

    Sean Michael Kerner
    Published July 31, 2013
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      LAS VEGAS—Every day millions of ads are displayed to tens of millions of users across the Web. According to a pair of WhiteHat Security researchers speaking at the Black Hat security conference here, those ads could be the gateway to enslaving your browser into a botnet army.

      There is little preventing an attacker from spending a small amount of money to almost instantly create a massive JavaScript-driven browser botnet—a so-called “million browser botnet,” Matt Johanson, manager of the Threat Research Center at WhiteHat Security, told eWEEK.

      Perhaps even more disturbing is the fact that WhiteHat’s browser botnet attack isn’t technically about disclosing a vulnerability. Rather, it’s about abusing functionality that is part of the way the Internet works today.

      Johanson explained that WhiteHat deployed some JavaScript inside of ad code and then submitted the ad to various ad networks. He noted that some networks allow JavaScript code functionality, while others do not. The overall goal for WhiteHat was to generate as much traffic as possible.

      In short order, WhiteHat’s bogus ad generated 20 million hits on the target tracking site. But that doesn’t mean the ad was deployed or clicked 20 million times. The JavaScript code that WhiteHat deployed forces the browser to repeatedly connect as quickly as possible to a given target. It’s a condition that if deployed widely could enable a distributed denial-of-service (DDoS) attack.

      WhiteHat’s JavaScript code wasn’t doing anything overtly malicious and it wasn’t dropping a payload on any user’s machine either, Johanson said. The attack isn’t even a cross-site scripting (XSS) issue, and it isn’t abusing the same domain origin policy—designed to limit the risk of external scripts acting outside of a specific domain—that most browsers respect.

      “This is just how the Internet works,” Johanson said. “A Web browser can go grab an image that sits on a third-party site and the source of the image doesn’t even matter.”

      He explained that all they did was deploy simple code, that is just running through a loop as the ad is displayed. It’s also possible that WhiteHat could have extended their JavaScript code to perform other functions, such as distributed hash cracking.

      The WhiteHat browser botnet only worked on ad networks that allowed JavaScript code in submitted ads.

      “Ad networks go through an approval process, but all they care about is that the image looks right and fits, and when you click, it goes to a page that exists,” Johanson said. “On the networks that allowed JavaScript, there was no analysis done of our code.”

      Though it was the ad networks that allowed the WhiteHat code to run, Johanson said that he’s not pointing fingers at any particular ad network. The challenge, he said, is a bigger one than just the ad networks, as JavaScript code running in a browser is commonplace across the Web. The ad network in the Million Browser Botnet example was merely the distribution mechanism.

      In Johanson’s view, the ad code issue isn’t an issue of avoiding certain sites either, as he found that he was able to get the ads running on common legitimate Websites.

      In terms of fixing the problem, browser vendors might be part of the solution. Johanson said that WhiteHat has already opened up lines of conversation with Google and Mozilla.

      So what should users do today to protect themselves?

      There aren’t too many options, but there are a few. Johanson suggests the browser users make use of browser extensions to control what’s running. Two tools in particular are NoScript and Request Policy, which explicitly ask the user if they want to enable a script to run and make an external site request.

      Sean Michael Kerner is a senior editor at eWeek and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.