- 1 Post By hackerman1
3rd August 2013, 13:56 #1
News from BlackHat: Million Browser Botnet
News from BlackHat: https://www.blackhat.com/us-13/archives.html#Grossman
Million Browser Botnet
Online advertising networks can be a web hackerís best friend.
For mere pennies per thousand impressions (that means browsers),
You are SUPPOSED to use this ďfeatureĒ to show ads, to track users, and get clicks, but that doesnít mean you have to abide.
The real-world power is spooky cool. We know, because we tested itÖ in-the-wild.
Put simply, instruct browsers to make HTTP requests they didnít intend, even something as well-known as Cross-Site Request Forgery.
With CSRF, no zero-days or malware is required.
Oh, and there is no patch.
The Web is supposed to work this way.
Also nice, when the user leaves the page, our code vanishes.
Before leveraging advertising networks, the reason this attack scenario didnít worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass.
Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins.
While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale.
Thatís what we want!
Today this is possible, and practical.
5th August 2013, 17:39 #2
Yikes. Not sure how this would be to defend against...
Ad-block, NoScript, but then you'd be turning off the ad revenue that some sites rely on, which isn't a good thing. I guess this may be left up to the advertiser publisher to white list certain ads after quality control... At least cut down on some of the offending ads (doubt they could catch them all).