Snooping on Your Online Searches
SAN DIEGO -- America Online took a lot of heat recently for disclosing what hundreds of thousands of AOL users had searched for online, but the truth is that stealing search results from any Internet user is well within the reach of all Web site owners, according to research published this week.
Atlanta-based security vendor SPI Dynamics released a white paper showing just how easy it is for a Web site owner to mine the recent search queries of anyone visiting the site just by using fairly simple Javascript code.
Javascript is a very powerful cross-platform programming language deployed on millions of Web sites, but it can also be an incredibly invasive tool in the hands of bad guys, as research presented at this year's Black Hat hacker conference made painfully clear.
Basing much of its research on that Black Hat talk, SPI Dynamics found that it is fairly easy for a Web site to use Javascript to check whether a visitor recently searched for a pre-defined list of phrases and/or words. To see this concept in action, navigate to Google.com and then run a search for a word or phrase. Then visit SPI Dynamics' proof-of-concept page, and type in the exact same word or phrase you entered at Google. The SPI page should return the same result you searched for in Google.
This exploit is somewhat limited, in that it requires the snooping Web site to establish a Web page with Javascript code that is already set up to mine a pre-defined set of search terms. But consider how powerful such a tool could be in the hands of a major online retailer, which might want to serve you ads for certain types of products based on the products you've been searching for online. More insidiously, consider a government Web site that queries whether you've searched for certain terms that might make you a target for further investigation, such as "porn," "bomb making," or certain types of illicit drugs.
There are plenty of permutations and different scary scenarios for this type of attack. And this exploit is not limited to Google, as a review of the source page for SPI's exploit shows. In theory, a Web site could use Javascript to query all kinds of information the user enters into a text form field or search engine.
In my experience, turning Javascript off in Internet Explorer tends to lead to kludgy results when browsing many sites, but I've come to love the "noscript" browser plugin or extension for Firefox, which blocks all Javascript by default and lets you decide which sites you trust to allow Javascript code. Obviously, that extension is not a foolproof approach, as even a site that you've marked safe for Javascript in Firefox could turn around and later use the code to probe your search results (or worse), but it's better than nothing.
By Brian Krebs |
September 30, 2006; 11:30 AM ET
Latest Warnings
Previous: SecureWorks Backs Out of Macbook Demo |
Next: Ellch Defends Macbook Wireless Vulnerability Research
Posted by: antibozo | September 30, 2006 2:46 PM
On the more general subject of search history snooping, it should also be noted that many web servers typically log the URL of the referring page, and this often reveals search behavior. For example, suppose you go to Google and search for "fluffy bunny" and one of the results links to http://www.example.com/fluffybunny.html. If you click on that link in the results page, your browser will connect to www.example.com and send, in its request, the header "Referer: http://www.google.com/search?q=fluffy+bunny". On many web servers, this referer URL (yes, it should be referrer, but the misspelling is entrenched) will be logged in the web server access log. The administrator of www.example.com thus has a little piece of information about your search.
Usually nothing about referer URLs will identify you personally. But a large enough group of owners of popular sites could do the same sort of data mining exercise that was being tested in the AOL experiment to associate search behavior with individuals.
There are ways to disable referer URL transmission in your requests. The simple but tedious workaround is to copy the link location from the results page and then paste it into a new window or tab. Note that some sites use referer URLs as an ill-advised security measure. Some online comics sites, for example, examine referer URLs before serving comics images in an attempt to ensure that you're getting the comic from one of their own pages, rather than via a link on someone else's site.
Posted by: antibozo | September 30, 2006 3:11 PM
OK, I have scripting enabled in IE 6, and the SPI Dynamics page failed on all three of the recent queries I supplied it.
???
Jim H.
Posted by: Jim Horning | September 30, 2006 10:58 PM
OK, I have scripting enabled in IE 6, and the SPI Dynamics page failed on all three of the recent queries I supplied it.
???
Jim H.
Posted by: Jim Horning | September 30, 2006 10:58 PM
Jim -- Did you type the search term in SPI's page EXACTLY as you typed it into your other search? B/c if not, the exploit example will fail.
Posted by: Bk | October 1, 2006 1:13 AM
The comments to this entry are closed.
NoScript definitely rocks. Every Firefox user should be using it, especially those using Windows. The benefit to security and to your peace of mind is profound. NoScript is available here:
https://addons.mozilla.org/firefox/722/
Note that you can (and I usually do) enable scripting on each site "temporarily". This helps prevent the latter scenario you describe where a site changes its behavior over time.
Also, be sure to check the "Forbid Java", "Forbid Macromedia Flash", and "Forbid other plugins" options in the Options dialog. You can then enable any given plugin by clicking on it.
You might think having to enable scripts on a given site or click on a plugin to start it would slow down your browsing. The truth is quite the opposite--when the browser doesn't have to automatically run scripts and (especially) download and execute Flash all the time, your browsing experience is in fact a lot peppier, and a lot of pages that contain superfluous flash items and banner ads come up far, far faster.