Searching session cookies and click-streams

In our paper on Google’s session cookie information leakage, Vincent Verdot and I described how to captures SID cookies on a shared network and run the attack with Firesheep (see the previous post).

Nevertheless, there are other ways to capture such cookies. For instance one could use malware to capture search traffic, but the simplest solution remains to search SID cookies.

Redirecting traffic

Using a malware to redirect the traffic of infected computers through a proxy controlled by the attack would allow to capture session cookies. Such infection has recently been detected by Google which displayed a banner on its search page [1]. In that particular case, Google traffic redirection was merely a side effect which triggered the malware detection.

According to Google, a couple of millions of computers [1] were infected by this malware. Attackers could have captured a significant number of session cookies and run attacks described in our paper.

Googling for cookies

The simpler solution to find SID cookies is to search them. Typing the right query in Google provides a list of pages where people published captured HTTP traffic, including SID cookies (also works with Yahoo!).

If you replace your SID cookie by one of the cookies listed in these pages, you will receive the same personalized results than its owner. From these results you can quickly extract a list of visited results, Gmail contacts and Google+ acquaintances.

Not all these results contain full SID cookies and some of the listed SID cookies may have already expired, but this simple search should already provide many valid cookies to test the flaw. I’ve written a Chrome extension to simply replace the SID cookie for the “google.com” domain and quickly test different accounts. Once installed, click on the red button in the upper right corner, past the cookie value and click save.
On Firefox you could use the Web Developer extension to edit cookies (it does not seem to work on Firefox 5.0).

Linking data and PI

By publishing their (apparently innocuous) cookies users indirectly published part of their click-stream and associated it to their email address. Thus they established a public record of having visited these URLs [2], and this record is now linked to their name. From there, their full anonymized click-stream — not reduced to visited search results — could be de-anonymized by a tracking ad-network.

References

[1] Damian Menscher, “Using data to protect people from malware”, http://googleonlinesecurity.blogspot.com/2011/07/using-data-to-protect-people-from.html
[2] Arvind Narayanan, “There is no such thing as anonymous online tracking”, http://cyberlaw.stanford.edu/node/6701


Introducing Unsearch

Unsearch Capture Screen

My first post introduces ‘Unsearch’, the extension that gave its name to this blog. Unsearch is an extension for the Google Chrome browser that allows to search on Google without leaving traces on Google Search logs or on Google Web Search History. Normally, your searches on Google are recorded and logged with your IP address and cookies. While one can manage his web search history through this interface, it is not possible to manage Google search logs.

Motivations

Analyzing Google Log retention policies we found out that, even after anonymization, some pieces of information in Google search logs might lead to user identification ( for further information, see our paper). When you use Unsearch all pieces of information are deleted from Google servers within 15 days.

Also, one may not want to have all his searches recorded in his web search history. While it is possible to log out or to delete entries from Google Web Search History, I prefer to have the possibility to do ‘off the record’ searches directly on the search page. Especially now that the ‘Log-out’ button is one additional click away and that we have only three seconds before the search is recorded.

Paradoxically, with the new navigation bar, I find it more difficult to notice when I’m not logged into my account. Putting the risk of pseudonym usurpation aside, the account information is – in my opinion – less visible. That’s problematic because I can not remove searches that I did from someone else account.

How it works

When you type keywords in Google Search bar, you get Google Instant results but your query won’t be logged unless you click on the page or remain inactive for three seconds (moredetails).

When you click on Unsearch, it removes the keywords you typed in the search box (so they will not be recorded), but before that, it copies the Google Instant result and pasts it in another tab where your interactions are not monitored: you can browse the results without Google noticing (redirects are removed).

Because you never clicked on ‘Search’, Google won’t log your query and it won’t appear in your web search history either. And since you’re logged into your Google account, you’ll still get personalized search results. This approach is somehow complementary to TrackMeNot which lets user shape their search profile without issuing queries.

Shortcomings

Because Unsearch is based on Google Instant, this feature must be turned on for Unsearch to work. Furthermore, you have to click on Unsearch within three seconds or Google will log the query as a normal search. I tried to find a fix (like adding and removing space in the search bar) but I’m looking for a good solution.

In fact, the main drawback is that Unsearch takes advantage of Google Instant log retention policy. Should this policy change, Unsearch would no longer prevent Google from logging searches. Such change is very unlikely as Google never extended its log retention period or made its ‘anonymizing’ process less effective.

Furthermore, even if this policy is changed, countermeasures exist to prevent Google from logging most of the queries in their entirety (see some possible solution in Unsearch Presentation (.ppt) ).