Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Black Hat: Ads Could Provide a Vehicle for Enslaving Your Browser

    By
    Sean Michael Kerner
    -
    July 31, 2013
    Share
    Facebook
    Twitter
    Linkedin
      DDoS

      LAS VEGAS—Every day millions of ads are displayed to tens of millions of users across the Web. According to a pair of WhiteHat Security researchers speaking at the Black Hat security conference here, those ads could be the gateway to enslaving your browser into a botnet army.

      There is little preventing an attacker from spending a small amount of money to almost instantly create a massive JavaScript-driven browser botnet—a so-called “million browser botnet,” Matt Johanson, manager of the Threat Research Center at WhiteHat Security, told eWEEK.

      Perhaps even more disturbing is the fact that WhiteHat’s browser botnet attack isn’t technically about disclosing a vulnerability. Rather, it’s about abusing functionality that is part of the way the Internet works today.

      Johanson explained that WhiteHat deployed some JavaScript inside of ad code and then submitted the ad to various ad networks. He noted that some networks allow JavaScript code functionality, while others do not. The overall goal for WhiteHat was to generate as much traffic as possible.

      In short order, WhiteHat’s bogus ad generated 20 million hits on the target tracking site. But that doesn’t mean the ad was deployed or clicked 20 million times. The JavaScript code that WhiteHat deployed forces the browser to repeatedly connect as quickly as possible to a given target. It’s a condition that if deployed widely could enable a distributed denial-of-service (DDoS) attack.

      WhiteHat’s JavaScript code wasn’t doing anything overtly malicious and it wasn’t dropping a payload on any user’s machine either, Johanson said. The attack isn’t even a cross-site scripting (XSS) issue, and it isn’t abusing the same domain origin policy—designed to limit the risk of external scripts acting outside of a specific domain—that most browsers respect.

      “This is just how the Internet works,” Johanson said. “A Web browser can go grab an image that sits on a third-party site and the source of the image doesn’t even matter.”

      He explained that all they did was deploy simple code, that is just running through a loop as the ad is displayed. It’s also possible that WhiteHat could have extended their JavaScript code to perform other functions, such as distributed hash cracking.

      The WhiteHat browser botnet only worked on ad networks that allowed JavaScript code in submitted ads.

      “Ad networks go through an approval process, but all they care about is that the image looks right and fits, and when you click, it goes to a page that exists,” Johanson said. “On the networks that allowed JavaScript, there was no analysis done of our code.”

      Though it was the ad networks that allowed the WhiteHat code to run, Johanson said that he’s not pointing fingers at any particular ad network. The challenge, he said, is a bigger one than just the ad networks, as JavaScript code running in a browser is commonplace across the Web. The ad network in the Million Browser Botnet example was merely the distribution mechanism.

      In Johanson’s view, the ad code issue isn’t an issue of avoiding certain sites either, as he found that he was able to get the ads running on common legitimate Websites.

      In terms of fixing the problem, browser vendors might be part of the solution. Johanson said that WhiteHat has already opened up lines of conversation with Google and Mozilla.

      So what should users do today to protect themselves?

      There aren’t too many options, but there are a few. Johanson suggests the browser users make use of browser extensions to control what’s running. Two tools in particular are NoScript and Request Policy, which explicitly ask the user if they want to enable a script to run and make an external site request.

      Sean Michael Kerner is a senior editor at eWeek and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×