[browsershots-factories] Re: Security concern from Browsershots service.

Johann C. Rocholl johann at browsershots.org
Thu Aug 2 09:28:34 CEST 2007 

Hi Vinay,

Thanks for your feedback and concerns.

On 8/1/07, Vinay Mahadik (McAfee) wrote:
> This site definitely has a lot of utility value for web developers. However,
> I was wondering if you have considered the major security implications of
> this service?

Yes, I have considered them.

> Based on my understanding of the architecture, the browsershot clients on
> volunteers' machines connects automatically to random URLs from the
> shotserver queue and opens these URLs for screenshot purposes right? If
> anonymous users are allowed to submit arbitrary URLs to this service, it
> throws the volunteers' machines open to hackers. Hackers could host old or
> new 0-day exploits on some website, post the URL on browsershot, and have
> multiple volunteer hosts compromised this way. At the very least, it serves
> as a one-stop "QA" lab for browser-based exploits' testing for hackers.

That is correct.

> Could you please let me know what steps you have taken to prevent this from
> happening? (I am assuming most volunteers are not using "emulators" or VM
> environments for this).

* Some of the Windows machines are actually on VMWare.

* Most screenshot factories are kept up-to-date with security patches.
This will not help against new 0-day exploits, but against old ones.

* The screenshot factory program runs on unprivileged user accounts,
so that a compromised machine will not automatically allow root
access.

* A simple browser crash is not a problem because the screenshot
factory script will automatically kill the crashed browser instance
and continue working.

* The screenshots are taken without any clicks or interaction with the
website, only loading, rendering and scrolling. Many exploits require
some user interaction, like accepting a download or clicking on
embedded objects.

* Finally, if a screenshot factory gets compromised, it does not
compromise the rest of the service, and it's easy to fix by
reinstalling (possibly from a disk image).

Cheers,
Johann

More information about the browsershots-factories mailing list