You can combine different web programming interfaces to hide online activities

A group of computer scientists has shown that the functionality that many websites offer to developers to build powerful applications can also be combined in ways potentially harmful.

No team from the University of California at San Diego (UCSD, U.S.) has used the application programming interfaces (APIs) Google and Facebook to create a system that would allow a person to surf the Internet anonymously.The researchers, who presented the work this week at the Usenix Security Conference in Bellevue, Washington (USA) indicate that this type of service would allow cybercriminals to cover their tracks.

“Our intention is to make services recognize this problem,” saysZhang Jiaqi , a doctoral student in computer science at UCSD and a member of the team. “We hope that when they see our work, try to do something to defend its services address the problems,” he adds.


Other researchers have shown how an API can be used in unintended ways, for example to make a Gmail account on a hard drive online. However, the UCSD researchers are the first to combine multiple services in this way.

The anonymity service for researchers, called CloudProxy, use Google services for content storage. Four Google Docs accounts, each with 10 spreadsheets were used for ASCII data cache web pages. The non-ASCII content was stored using another Google service. They also used a Web service Facebook to format your web requests properly, and the shortening of URLs from Google to create requests that could be easily incorporated into Web services.

The researchers tested the service by loading diverse content from multiple sites, and then used a network capture program (WireShark) to confirm that no identifying information may be collected from the applications.

Mike Geide, senior researcher for security web security vendor Zscaler , says the technique could be particularly harmful because many web security technologies rely on identifying and blocking malicious websites. Nobody would block traffic from Google or Facebook, he says.

“What we are asking is to determine the intent of the activity,” he says. “Google has to talk to Facebook, because that’s how the Internet works. So how do you determine the intent of these applications?” Asks Geide.

The granting of anonymity to Internet users is an option. Zhang, from UCSD, adds that Google, Facebook and other Web services can greatly amplify the impact of an attack, perhaps helping to bring down a website or a server in a denial of service attack. “Google has a lot of resources and bandwidth, so if a hacker manages to use his service does not have to build a botnet, simply use Google to do a denial of service attack,” said Zhang.

However, Mark O’Neill, CTO of cloud security vendor Vordel says that Internet service providers should be able to set defenses to make their API are less easy to manipulate. By looking at usage patterns, he notes, a service could detect users who try to take advantage of the API in new ways.