Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mining Browsing History With Google Cookie Data

Posted by Soulskill on from the is-it-the-90s-again dept.

mikejuk writes "Recent research reveals details on how Google's SID cookie can be used to discover what websites a user has visited. In principle, the cookie is a low security risk because it doesn't allow acess to any data without authentication — thus it is sometimes transmitted in the clear and easy to intercept. With a little help from Google Search History and the 'Visited Pages' filter, researchers were able to list up to 80% of the pages visited by volunteer victims. Throw into the mix the 'social' filter and you can discover a lot more."

40 comments

  1. Google by ge7 · · Score: 2

    It's good people are finally starting to see how abusive Google's practices are. Both intentional and unintentional, like this one. This should show that Google shouldn't even try to do datamining like this as it can be used maliciously. Either by a rogue Google employee or other people.

    1. Re:Google by jazman_777 · · Score: 2

      Google's slogan "Don't Be Evil" isn't the same as "Don't Do Evil".

      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    2. Re:Google by MichaelKristopeit355 · · Score: 3, Insightful

      Google shouldn't even try to do datamining...

      i'm sure the web will just index itself.

    3. Re:Google by Anonymous Coward · · Score: 1

      BS. TFA assumes that HTTPS isn't enforced on *.google.com. So they do a MITM attack by masquerading as Google.com. Consider yourself lucky if the worst that happens is history retrieval. !news

    4. Re:Google by LordLimecat · · Score: 2

      Wait, so if a potential vulnerability in Google's cookie means theyre abusive, does that mean that the attacks on AES256 (due to design flaws) mean the NIST is abusive and doesnt care about your privacy?

      Or is it possible that calling google evil and malicious in this instance is incorrect and irrelevant to the real issues (such as what are the implications, how can we protect ourselves, and whether Google needs to take measures to better protect the cookies)?

    5. Re:Google by RoLi · · Score: 2

      Compared to Facebook, that's pretty harmless.

      The "Like" button reveals to facebook every website you visit:
      http://in-other-news.com/2011/What_Facebooks_Like_buttons_reveal

      And facebook even tries to ban workarounds that prevent their buttons from sending data without being clicked:
      http://www.heise.de/newsticker/meldung/Facebook-beschwert-sich-ueber-datenschutzfreundlichen-2-Klick-Button-2-Update-1335658.html

    6. Re:Google by Anonymous Coward · · Score: 0

      It's abusive because Google is putting users at risk by storing that data.

      Browsing history storage and behavioral metrics are inherently abusive except where subject to opt-in with truly informed consent.

    7. Re:Google by Lunaritian · · Score: 1

      I wanted to use Facebook without Facebook knowing what other sites I visit, and the solution is quite simple. I use Chromium for Facebook only, and for other surfing I use Firefox with NoScript which I've set to block anything Facebook-related.

  2. Interesting by Mensa+Babe · · Score: 2

    While leaking browsing history is nothing new in principle, this time it is the service whom you trust with your history that is actively broadcasting your browsing habits in the form of a cookie. It should be at least marked as Secure and used only in encrypted connections. I wonder why Google is using an HTTP cookie to store information that could be stored in many ways that seem much better suited for that - from the database backend to HTML5 web storage. Anyone knows why did Google use an HTTP cookie for that? Is it more reliable or more efficient than the web storage or a database?

    --
    Karma: Positive (probably because of superiour intellect)
    1. Re:Interesting by vux984 · · Score: 2

      from the database backend

      Because the http cookie completely trivial to set up and completely free too where as the database backend would need well.. a database back end. Which is neither trivial nor free, even for google.

      to HTML5 web storage

      How many people are still not using HTML5 browsers?

    2. Re:Interesting by Dahamma · · Score: 3, Insightful

      The SID is just Google's "session ID", it doesn't contain browsing data itself. They were just hijacking the session id and using it in Google searches, then looking at the results to try to determine a user's search history based on what Google sent back.

      Stealing someone's session cookie and then using it to get information about the victim? This is *definitely* nothing new, and I'm sure there are tons of other sites vulnerable to the same attack...

    3. Re:Interesting by AmiMoJo · · Score: 2

      Another reason why HTTPS should always be enabled. Potty that seems to have been missed in TFA.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Interesting by jc42 · · Score: 2

      How many people are still not using HTML5 browsers?

      Or, for that matter, how many people even have a browser that doesn't understand HTML5?

      A few months ago, while testing some HTML5 stuff (canvases, etc.), I got curious about how many browsers I could find that did/didn't handle it. I have an even dozen browsers on my Macbook, half a dozen on my two linux boxes (and wonder where I can find more), several on a FreeBSD box that I have an account on, two on my G1 phone (the builtin Browser and Opera Mini), plus the browser on my wife's iPhone. I tested my HTML5 against all of them, and they all handled it without problems.

      So I don't have any non-HTML5 browsers in this collection. I didn't consciously choose to do this. So I wonder how many non-HTML5 browsers are actually available.

      Actually, my wife has an iMac with a Windows (NT) VM installed, and it has IE6. I should try it; I'm guessing that it doesn't handle HTML5. But I could be wrong again; it might understand HTML5 but intentionally render parts of it incorrectly.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  3. WTF I don't even by Anonymous Coward · · Score: 0

    So is there any easy way to delete Google's SID cookie every couple seconds or so?

    1. Re:WTF I don't even by Anonymous Coward · · Score: 1

      You can set *.google com to always use SSL using noscript. https-anywhere/everywhere/whatever they call it probably won't redirect literally everything, since some google services will break if forced to use SSL (no iGoogle). I actually use privoxy with a rule like this:

      { +redirect{s@http://@https://@i} }
      .google.com

      Then for services that break, I allow http, but without cookies:

      { -redirect +crunch-all-cookies }

      cache.pack.google.com/edgedl/chrome

      www.google.com/chrome

      It takes some work, and doesn't work perfectly, but I'm pretty sure I haven't sent a cookie to google in the clear in at least a year.

      With privoxy and iptables transparently injecting all network requests into it, you can even force everybody on your network to be fed http 302 redirects to the https version locally. Of course if these redirects happen on insecure wifi, it won't prevent this attack on that level, but would for a snooping ISP. Nothing is perfect, and I run privoxy on my local machine anyway. Just throwing things out there, and hoping someone might subscribe to my newsletter.

  4. A bit misleading... by Anonymous Coward · · Score: 0

    According to TFA, this only shows sites that were clicked through in search results. While obviously it's still not an optimal experience, it's much better than leaking information on, say, any site you've visited that uses Analytics.

  5. Firefox will dispose of all cookies on close by sl4shd0rk · · Score: 1

    Under privacy settings
        Keep Until: I close Firefox

    Or does this not get rid of the google cookie?

    --
    Join the Slashcott! Feb 10 thru Feb 17!
    1. Re:Firefox will dispose of all cookies on close by Frosty+Piss · · Score: 1

      Keep Until: I close Firefox

      Sorry, it's way too much to ask people to take even the smallest responsibility for their own privacy.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Firefox will dispose of all cookies on close by Anonymous Coward · · Score: 0

      What if I log into Google, do a search, and then click on one of the results, which happens to be on a data-miner's page? You know, because I *want* the color-coding for my history.

    3. Re:Firefox will dispose of all cookies on close by Anonymous Coward · · Score: 0

      You mean I get to log in again and again and again and again...

    4. Re:Firefox will dispose of all cookies on close by edxwelch · · Score: 1

      Have you specifically enabled google history? If not then there is nothing to leak.

    5. Re:Firefox will dispose of all cookies on close by Anonymous Coward · · Score: 0

      If you check "remember passwords", logging in again is a 2 second activity.

    6. Re:Firefox will dispose of all cookies on close by jenningsthecat · · Score: 1

      Have you specifically enabled google history? If not then there is nothing to leak.

      People like you who have Google accounts tend to forget about those of us who choose NOT to have anything to do with Google beyond using their search engine. Because I don't subscribe to Gmail or any other Google services, I have to turn search history off regularly - I still haven't figured out when and how Google decides to silently 'opt me back in' to this odious 'feature', and there's no indication that it's turned on, so if I forget to check, then my history is being logged and my search results are geographically skewed. And don't forget that even if you have a Google account, failing to log into it means that web history is automatically enabled by default and must be turned off manually if you don't want it.

      Google is like Bell - I hate it, but there's not much choice but to either use it or choose some equally evil alternative.

      --
      'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  6. Really? by Kamiza+Ikioi · · Score: 2

    Cookies are now abusive? Google has been leading the way in terms of always on HTTPS, a browser that includes an easy to use incognito mode ahead of other major browsers, and clear and easy ways to view your history (which is default off, iiirc), clear it, retrieve all your Google saved data such as pics, etc.

    Their really intrusive services, like Latitude are completely optional and even when turned on are always defaulted to safe settings. Even their picture search is default to avoid pornography for worried parents.

    Compare this to just about any other leading tech company like Facebook or Microsoft. And statements like "Google shouldn't even try to do datamining like this as it can be used maliciously" shows a lack of understanding about what Google's business is, and tech in general.

    Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.

    --
    I8-D
    1. Re:Really? by jc42 · · Score: 2

      Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.

      This isn't just theoretical. Not long ago, I was among a crowd of probably several hundred people who got Facebook and Twitter messages alerting us to a gathering at a local square that's a transport and commercial hub (Davis Square in Somerville, Massachusetts). At least several dozen of us grabbed our tools and descended on the square at the appointed time, and organized an unscheduled contra dance out in the open. I took along my accordion, if you can imagine! The "cell" member that sent me the message showed up with her fiddle. Another fellow even brought a string bass. Some passers-by gave us strange, puzzled, or disapproving looks. Others joined in.

      This is the sort of thing that our citizenry can be enticed into by this newfangled Social Networking and Instant Messaging stuff. I can easily believe all the other sorts of social things that it's leading to.

      So I'd say that it's good that we're warning readers about the consequences of such communication technologies. And participants should be aware that the central message passing sites on the Internet almost certainly have a record of events such as this one, though they may not (yet) know exactly which of the message recipients actually participated. But the fact that we're on the organizers lists tells organizations like Facebook and Twitter that we're associated with such activities.

      I do wonder whether they know I have an accordion (and I know how to use it). I should probably assume that they do know this.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  7. Compare what? by Anonymous Coward · · Score: 1

    Compare this to just about any other leading tech company like Facebook or Microsoft.

    I often do, which is why I continue to try to talk sense into deranged dorks who insist Google can do no wrong.

    They're doing the same things that all the 'evil' companies out there do, you nerds.

    1. Re:Compare what? by LordLimecat · · Score: 3, Interesting

      Yes, they totally crack down on opensource and lead the way with EEE....

      Except for when theyre hosting FOSS projects on google code.

      And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).

      And donating massive amounts of money to Mozilla foundation.

      But other than that, yea, linux geeks unite against the monster that is Google.

    2. Re:Compare what? by ge7 · · Score: 2

      And donating massive amounts of money to Mozilla foundation.

      Wait, what? They aren't donating anything. They're paying Mozilla to include Google as the default search in Firefox and paying commissions on ad clicks made from said search box. Donations.. sheesh Google really has made nerds completely blind to truth.

    3. Re:Compare what? by CharlyFoxtrot · · Score: 2

      And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).

      HTML5: created by the WHATWG. "WHATWG was founded by individuals from Apple, the Mozilla Foundation and Opera Software in 2004"

      Chromium: built on Webkit, created by Apple from the original khtml base.

      --
      If all else fails, immortality can always be assured by spectacular error.
    4. Re:Compare what? by LordLimecat · · Score: 1

      Webkit-- built on a compiled language built by someone else entirely.

      What is your point?

    5. Re:Compare what? by Anonymous Coward · · Score: 0

      Did you actually read the rest of that paragraph in the HTML5 wikipedia article?

  8. Visual DNA by mikael · · Score: 1

    Has anyone heard of Visual DNA?

    I was visiting a website, clicked on a sub-link and the browser timed out. Instead I got a Java-Script link to a Visual-DNA script. Looked at the website, and it looked like one of those freaky advertising agencies that tracks everything:

    Visual DNA

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
  9. BEvil Cookies? by BoRegardless · · Score: 1

    Comes to mind.

  10. Does google know it's *You* ? by Anonymous Coward · · Score: 1

    Or does google just know that somebody left left x website and went to y website?

    To me, there is very big difference.

  11. Comparing Google to Microsoft by walterbyrd · · Score: 2

    Is like comparing a jay-walker to a serial killer.

    MS is every bit as bad, if not worse, than google when it comes to privacy issues. But what about massive patent trolling? I don't see google doing that. What about outright lying to the US DoJ in video taped testimony? What about the letters from dead people campaign? What about financing the scox-scam? What about bribing officials, not to mention many other irregularities, in the OOXML ISO scandle? What about faking the results of supposedly independent product comparison's? What about owning "think tanks" that create favorable reports about your company's point of view?

  12. Re:Paranoia sometimes pays by Anonymous Coward · · Score: 0

    One of the first "features" that I disabled from my Google account was Web-Search History.

    I've never been more satisfied with that decision than I am now.

    One of the first "features" that I disabled from my Google account was logging into it in the first place. Works like a charm.