Mining Browsing History With Google Cookie Data

← Back to Stories (view on slashdot.org)

Mining Browsing History With Google Cookie Data

Posted by Soulskill on Friday September 2, 2011 @07:48AM from the is-it-the-90s-again dept.

mikejuk writes "Recent research reveals details on how Google's SID cookie can be used to discover what websites a user has visited. In principle, the cookie is a low security risk because it doesn't allow acess to any data without authentication — thus it is sometimes transmitted in the clear and easy to intercept. With a little help from Google Search History and the 'Visited Pages' filter, researchers were able to list up to 80% of the pages visited by volunteer victims. Throw into the mix the 'social' filter and you can discover a lot more."

16 of 40 comments (clear)

Min score:

Reason:

Sort:

Google by ge7 · 2011-09-02 07:58 · Score: 2

It's good people are finally starting to see how abusive Google's practices are. Both intentional and unintentional, like this one. This should show that Google shouldn't even try to do datamining like this as it can be used maliciously. Either by a rogue Google employee or other people.
1. Re:Google by jazman_777 · 2011-09-02 08:04 · Score: 2
  
  Google's slogan "Don't Be Evil" isn't the same as "Don't Do Evil".
  
  --
  Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
2. Re:Google by MichaelKristopeit355 · 2011-09-02 08:16 · Score: 3, Insightful
  
  Google shouldn't even try to do datamining...
  i'm sure the web will just index itself.
3. Re:Google by LordLimecat · 2011-09-02 08:45 · Score: 2
  
  Wait, so if a potential vulnerability in Google's cookie means theyre abusive, does that mean that the attacks on AES256 (due to design flaws) mean the NIST is abusive and doesnt care about your privacy?
  Or is it possible that calling google evil and malicious in this instance is incorrect and irrelevant to the real issues (such as what are the implications, how can we protect ourselves, and whether Google needs to take measures to better protect the cookies)?
4. Re:Google by RoLi · 2011-09-02 08:45 · Score: 2
  
  Compared to Facebook, that's pretty harmless.
  The "Like" button reveals to facebook every website you visit:
  http://in-other-news.com/2011/What_Facebooks_Like_buttons_reveal
  And facebook even tries to ban workarounds that prevent their buttons from sending data without being clicked:
  http://www.heise.de/newsticker/meldung/Facebook-beschwert-sich-ueber-datenschutzfreundlichen-2-Klick-Button-2-Update-1335658.html
Interesting by Mensa+Babe · 2011-09-02 07:59 · Score: 2

While leaking browsing history is nothing new in principle, this time it is the service whom you trust with your history that is actively broadcasting your browsing habits in the form of a cookie. It should be at least marked as Secure and used only in encrypted connections. I wonder why Google is using an HTTP cookie to store information that could be stored in many ways that seem much better suited for that - from the database backend to HTML5 web storage. Anyone knows why did Google use an HTTP cookie for that? Is it more reliable or more efficient than the web storage or a database?

--
Karma: Positive (probably because of superiour intellect)
1. Re:Interesting by vux984 · 2011-09-02 08:16 · Score: 2
  
  from the database backend
  Because the http cookie completely trivial to set up and completely free too where as the database backend would need well.. a database back end. Which is neither trivial nor free, even for google.
  to HTML5 web storage
  How many people are still not using HTML5 browsers?
2. Re:Interesting by Dahamma · 2011-09-02 08:31 · Score: 3, Insightful
  
  The SID is just Google's "session ID", it doesn't contain browsing data itself. They were just hijacking the session id and using it in Google searches, then looking at the results to try to determine a user's search history based on what Google sent back.
  Stealing someone's session cookie and then using it to get information about the victim? This is *definitely* nothing new, and I'm sure there are tons of other sites vulnerable to the same attack...
3. Re:Interesting by AmiMoJo · 2011-09-02 10:05 · Score: 2
  
  Another reason why HTTPS should always be enabled. Potty that seems to have been missed in TFA.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:Interesting by jc42 · 2011-09-02 15:34 · Score: 2
  
  How many people are still not using HTML5 browsers?
  Or, for that matter, how many people even have a browser that doesn't understand HTML5?
  A few months ago, while testing some HTML5 stuff (canvases, etc.), I got curious about how many browsers I could find that did/didn't handle it. I have an even dozen browsers on my Macbook, half a dozen on my two linux boxes (and wonder where I can find more), several on a FreeBSD box that I have an account on, two on my G1 phone (the builtin Browser and Opera Mini), plus the browser on my wife's iPhone. I tested my HTML5 against all of them, and they all handled it without problems.
  So I don't have any non-HTML5 browsers in this collection. I didn't consciously choose to do this. So I wonder how many non-HTML5 browsers are actually available.
  Actually, my wife has an iMac with a Windows (NT) VM installed, and it has IE6. I should try it; I'm guessing that it doesn't handle HTML5. But I could be wrong again; it might understand HTML5 but intentionally render parts of it incorrectly.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Really? by Kamiza+Ikioi · 2011-09-02 08:20 · Score: 2

Cookies are now abusive? Google has been leading the way in terms of always on HTTPS, a browser that includes an easy to use incognito mode ahead of other major browsers, and clear and easy ways to view your history (which is default off, iiirc), clear it, retrieve all your Google saved data such as pics, etc.
Their really intrusive services, like Latitude are completely optional and even when turned on are always defaulted to safe settings. Even their picture search is default to avoid pornography for worried parents.
Compare this to just about any other leading tech company like Facebook or Microsoft. And statements like "Google shouldn't even try to do datamining like this as it can be used maliciously" shows a lack of understanding about what Google's business is, and tech in general.
Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.

--
I8-D
1. Re:Really? by jc42 · 2011-09-02 15:08 · Score: 2
  
  Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.
  This isn't just theoretical. Not long ago, I was among a crowd of probably several hundred people who got Facebook and Twitter messages alerting us to a gathering at a local square that's a transport and commercial hub (Davis Square in Somerville, Massachusetts). At least several dozen of us grabbed our tools and descended on the square at the appointed time, and organized an unscheduled contra dance out in the open. I took along my accordion, if you can imagine! The "cell" member that sent me the message showed up with her fiddle. Another fellow even brought a string bass. Some passers-by gave us strange, puzzled, or disapproving looks. Others joined in.
  This is the sort of thing that our citizenry can be enticed into by this newfangled Social Networking and Instant Messaging stuff. I can easily believe all the other sorts of social things that it's leading to.
  So I'd say that it's good that we're warning readers about the consequences of such communication technologies. And participants should be aware that the central message passing sites on the Internet almost certainly have a record of events such as this one, though they may not (yet) know exactly which of the message recipients actually participated. But the fact that we're on the organizers lists tells organizations like Facebook and Twitter that we're associated with such activities.
  I do wonder whether they know I have an accordion (and I know how to use it). I should probably assume that they do know this.
  
  --
  Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Re:Compare what? by LordLimecat · 2011-09-02 08:47 · Score: 3, Interesting

Yes, they totally crack down on opensource and lead the way with EEE....
Except for when theyre hosting FOSS projects on google code.
And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).
And donating massive amounts of money to Mozilla foundation.
But other than that, yea, linux geeks unite against the monster that is Google.
Re:Compare what? by ge7 · 2011-09-02 08:55 · Score: 2

And donating massive amounts of money to Mozilla foundation.
Wait, what? They aren't donating anything. They're paying Mozilla to include Google as the default search in Firefox and paying commissions on ad clicks made from said search box. Donations.. sheesh Google really has made nerds completely blind to truth.
Comparing Google to Microsoft by walterbyrd · 2011-09-02 11:51 · Score: 2

Is like comparing a jay-walker to a serial killer.
MS is every bit as bad, if not worse, than google when it comes to privacy issues. But what about massive patent trolling? I don't see google doing that. What about outright lying to the US DoJ in video taped testimony? What about the letters from dead people campaign? What about financing the scox-scam? What about bribing officials, not to mention many other irregularities, in the OOXML ISO scandle? What about faking the results of supposedly independent product comparison's? What about owning "think tanks" that create favorable reports about your company's point of view?
Re:Compare what? by CharlyFoxtrot · 2011-09-02 12:12 · Score: 2

And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).
HTML5: created by the WHATWG. "WHATWG was founded by individuals from Apple, the Mozilla Foundation and Opera Software in 2004"
Chromium: built on Webkit, created by Apple from the original khtml base.

--
If all else fails, immortality can always be assured by spectacular error.