Google Web History vulnerable to hack

John E. Dunn
13 September, 2011
View more articles fromthe author

Two researchers have shown how a modded version of the Firesheep Wi-Fi sniffing tool can be used to access most of a victim’s Google Web History, a record of everything an individual has searched for.

The core weakness discovered by the proof-of-concept attack devised by Vincent Toubiana and Vincent Verdot lies with what is called a Session ID (SID) cookie, used to identify a user to each service they access while logged in to one of Google’s services.

Every time the user accesses an application, the same SID cookie is sent in the clear, which the Firesheep captures from the data sent to and from a PC connected to a non-encrypted public Wi-Fi hotspot.

Because many of Google’s services use HTTPS (Gmail for instance), the attacker has to find a way to get the user to resend this SID. The most direct method is to set up a rogue access point and then use an iFrame to direct the user to a Google service (such as Alerts) that doesn’t use an encrypted channel.

The attack also requires that the user has Google Web History tracking turned on. This is the system that keeps tabs of a user’s search history and many people are not even aware exists because it is set as during Google’s account setup procedure.

Testing the technique against 10 volunteers, the researchers were able to retrieve up to 82 percent of the links visited by them during the test period.

The only current defence against this attack is for users to remains signed out of Google while using a Wi-Fi hotspot or to set up a personal VPN. Users could also disable Google Web History or purge its contents.

However, note Toubiana and Verdot also note that, “some issues cannot be addressed by users and require a modification of Google’s cookie policy,” The major worry remains the expansion of Google’s tracking to other types of data in its Google+ service. “As Google is taking steps to include social indicators in result personalisation, user’s social network could soon be exposed.”

Firesheep is a browser-based plug-in published a year ago by security developer Eric Butler to highlight security vulnerabilities in the way cookies for sites such as Facebook and Twitter were being exchanged across open Wi-Fi links without HTTPS turned on. Although not a new issue, Firesheep showed how easy it was to turn the flaw into a simple tool that could be used by any attacker.

One Comment

One person was compelled to have their say. We encourage you to do the same..

  1. Shellie says:

    I work at a counseling center for at-risk abuse survivors who use donated iPads to journal their interactions and experiences with their partners. Many of these partners continue to be a current source of abusive behaviors. These women face a very real danger should their partner see what has been typed into the search box. The frightening reality is that the iPad’s Google app retains all that has ever been typed into that box, and regurgitates it as part of it’s alphabetical instant search feature within the first one to two letters typed into its’ search box thereafter! I was hoping that the glaring privacy issue of the iPad’s inability and the Google apps’ unwillingness to permanently clear past search history from it’s instant search results would be addressed. Despite utilizing “clear history” when results drop down in the menu, and despite clearing cookies and cache, etc., from Google and Safari in the iPad settings icon, plus despite clearing bookmarks in the Safari app, finally despite meticulously following the instructions from the iPad help, this serious security breach remains. In fact, iPad help instructs to use the settings touch button (the sprocket icon located on a pull down screen located above the search box) to open the Google app menu. Within it is supposedly a button saying “save recent searches”. When clicked it supposedly offers a yes and no choice. If no is chosen, then supposedly all searches are cleared and all future searches not saved. Disturbingly, this button is absent from the menu! it does not exist. Which presupposes that when iPad help was developed, it was assumed that such a button would be included in the menu feature when, it turns out, it was not.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us