Headless mode in Firefox and Chrome

During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI.

Until now, headless browsers were forks of well-known browser engines adapted to run in headless mode, used only by developers for automated tests.

This type of testing is crucial in modern web development, as it allows developers to see how a page responds to certain actions such as page loads, clicks on buttons, filling in forms, etc..

Usually, developers log all these responses, such as page load times and action response times, and later analyze the results to make improvements to their sites.

Headless mode supported in Chrome 59, Firefox 56

The first to add support for a headless mode was Google, in Chrome 59, released earlier this month. According to this Mozilla bug report, Mozilla will add a similar headless mode in Firefox 56, set for release next month.

This means developers won't need any third-party apps to run Firefox or Chrome as a headless browser and will be able to run tests right in the browsers for which they're optimizing their pages.

Regular users won't notice anything since the addition of headless mode doesn't change anything in how both Chrome and Firefox look or behave in standard mode.

Headless mode is ripe for abuse by malware devs

While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware.

In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions.

In the past, there have been quite a few adware families that used headless browsers to perform clickfraud [1, 2, 3, 4].

Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam.

The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

A new challenge for antivirus makers

"This may make it easier for them, and harder to detect on the local machine,"  Grooten told Bleeping Computer today.

His opinion is shared by fellow security researcher Bart Parys. "I do think adware creators will jump on the bandwagon, under the premise that it's worth the cost," Parys told Bleeping Computer in a private conversation.

Antivirus software makers will need to adapt along with Chrome and Firefox if they want to prevent users' computers from being hijacked and abused behind their owners' backs. Security products that come with support for behavioral analysis are most likely in a better position to detect this new types of adware attacks.

Image credits: unlimicon, Bleeping Computer, Mozilla, Google