The seemingly limitless computational power of cloud computing is among the technology's most attractive value propositions, but placed in the wrong hands, it could fuel untold danger. According to a new proof-of-concept exploit engineered by computer scientists at North Carolina State University and the University of Oregon, hackers could anonymously siphon some of this strength to amplify the impact of their malicious plots.
But as researchers hypothesized, this blessing could become a curse if programmers are able to trick the browser into performing tasks that the actual cloud service was never designed to execute.
"By rendering web pages in the cloud, the providers of cloud browsers can become open computation centers, much in the same way that poorly configured mail servers become open relays," scientists wrote in their research brief. "There is great potential to abuse these services for other purposes."
Ahead of this month's Computer Security Applications Conference, the research team built it's own customized Puffin replica for experimentation. According to Ars Technica, engineers discovered a method by which the cloud-based servers the browser relies on could be commanded to count words, search text and execute a variety of processes outside the scope of their original design.
Although the proof-of-concept-attack was of limited scope and benign motives, it confirmed the researcher's ability to discretely redirect the power of public cloud servers for covert activities. In addition to the Puffin browser which facilitates activity on Android and iOS devices, it is assumed that similar manipulations could be made to Amazon's Silk browser, AlwaysOn's Cloud Browse and Opera Mini.
If these capabilities were bent to a hacker's will, they could generate as many as 24,000 cryptographic hashes per second for password-cracking purposes or significantly expand the attack radius for denial-of-service attacks.
Similar brands of so-called "parasitic computing" have paved the way for notable breaches such as Sony's 2011 data security troubles. But as research coordinator William Enck told Dark Reading, this fresh approach could be much faster and simpler than renting cloud space with stolen or fraudulent payment credentials.
Cloud Security News from SimplySecurity.com by Trend Micro