Show me your Cookie and I’ll tell you what you visited

Web Search History Information Leakage

Back in February, I re-discovered a small flaw in Google Search: result personalization leaks the list of results you clicked on. This leak was already known and mentioned in a paper by Castelluccia et al., but several features added by Google made it critical.

  • First there is the possibility (for web search history users) to only view result that have already been visited (visit http://www.google.com/webhp?tbs=whv:1).
  • Second,  with Google Instant it is possible to view visited links quickly without living a trace in the victim Web Search history (the attack is not-destructive).
  • Third, when Google display previously visited search results, it used to provide the query that led to the results searching when he clicked on the result, thus the attacker knew which keywords the victim was usually searching for and could have enter these keywords in a search box to get new results which will suggest new keywords to type and so forth and so on…

The third point has been addressed by Google very recently, when they introduced the new interface with the black top bar.
Vincent Verdot and I wrote a paper about this flaw. In order to conduct an experiment, we’ve been working on a proof of concept and an evaluation tool that we used to gather results.

Proof of concept based on Firesheep

This proof of concept is based on Firesheep (I just added a module and modify the attack launched when a SID cookie was captured). Firesheep is only working with the latest version of Firefox 3.6, do not expect to run it on Firefox 5.
With our version of Firesheep, when a Google SID cookie is captured, the account name appears in the Firesheep sidebar. Double clicking on it starts the attack; double clicking again displays the retrieved list of visited links.

The Evaluation tool

We also designed a Firefox extension which downloads your web search history on your computer, issue a couple of search queries (mostly searching for extensions like: « .com, .fr, .us, .html, www, … ») and see how many clicked links can be retrieved.
We’ve run this experiment with a dozen of account and sent the result to Google. We’ll soon publish the paper as a technical report.

How to protect your Click History

We’ve been in contact with Google Security Team who is working on a fix that should soon be deployed. In the meantime, make sure you’re not logged in your Google account when you’re connected on an unsecured network.
If you do not use Web Search History you may also purge it and disable the feature (visit https://www.google.com/history).
Also, TrackMeNot and Unsearch will reduce the exposition of your click history.

 

Running the Test

If you want to run the test 5 minutes:

  • A Google Account with Web Search History enabled. To check that you activated it, visit https://www.google.com/history; if it asks you to turn on the feature, then you cannot help here. Thanks anyway for trying.
  • Install this Firefox extension (https://unsearcher.org/Test%20Flaw/ad@monitor.xpi), download it and then drag it and drop it in Firefox. Once the extension has been installed, you should restart Firefox.
  • Modify your Google Search preferences (http://www.google.com/preferences?hl=en) to disable “Google Instant” and set the number of returned result to 100 (instead of 10).
  • Sign out and Sign in again on Google.com.
  • In Firefox, click on “Tools-> ADMONITOR-> History”. A first message should appear to inform you that the extension is about to extract your search History. Click on OK and do not close the Firefox window.
  • After five minutes, another message will be prompted to inform you that the test is finished. It’ll tell you where you can find the generated file. A Firefox window should have open (not necessarily taking the focus). You can send me the content of this window via e-mail and we’ll integrate it in our experiment results.
  • You can remove the generated files and uninstall the sid@testextension.

Thanks for helping us.

A follow up on Google Policies

Last year, I started to analyze Google Search and Google Suggest logs retention policies for the NYU Privacy Research Group meetings. To complete this analysis, I’m trying to review policies of other Google services.

‘Personal Information’ vs ‘Information we collect’

While I just started this review, I noticed that Google seems to change the name of the section describing the recorded information. This section is either called:

  • “Personal Information” for +1, Blogger, Buzz, Notebook, Groups, Knol, Moderator, Music, Orkut, Picasa, Power Meter, SafeBrowsing , Sites, Voice, Web History and YouTube
  • “Information we collect” for Advisor, Checkout, Desktop, Gears, TV, Location, Mobile, Toolbar, Trader, Web Accelerator.

My first understanding was that for services that require a Google Account to be used, Google uses the terms “Personal information” otherwise it uses “Information we collect”. But there are several exceptions. For instance, SafeBrowsing does not require an account to be used but Google TV does.

In addition, explicit references to server logs are made in these Personal Information sections while Google does not consider server logs as Personal Information (see their FAQ).

The Knol bridge

A loophole in Knol Privacy Policy allows Google to link your IP address and cookies to your user account. Knol (for Knowledge) is Google’s alternative to wikipedia. You need to have a Google account to contribute to Knol and — like most for Privacy Policy of Google services — Google mentions that it :

‘records information [your] account activity (e.g., storage usage, number of log-ins, actions taken), data displayed or clicked in the Knol interface […] and other log information (e.g., browser type, IP address, date and time of access, cookie ID, referrer URL). If you are logged in we may associate that information with your account.
[emphasis is mine]

This last sentence is unusual and suggest that if you ever logged in and visited Knol, Google can associate your IP address and Cookie IDs to your Goolge Account — and all the personal information attached to it. From that, Google can directly de-anonymized the searches you did when you were not logged in.

A policy template

This loophole is certainly not intentional; this exact sentence appears in many privacy policies . As a matter of fact, this sentence also appears in YouTube and Blogger policies. Therefore we can assume that a same template has been used for services hosting user generated content.

However there are two big differences between Knol and Youtube or Blogger:

  • There is no explicit mention of the server logs in these policies. For these services, Google only mention that their ‘servers automatically record information about your use of the service’.
  • Both Blogger and YouTube have their own domain names, meaning that cookies you send to YoutTube are different from the cookies you send when you’re visiting a Google website. Unlike these services, Knol uses Google domain name. Therefore, you send to Knol cookies that you also send to Google when you are doing a search.

While not dramatic considering Knol relative lack of success, this mistake could have been more critical in the privacy policy of a more popular service.

Introducing Unsearch

Unsearch Capture Screen

My first post introduces ‘Unsearch’, the extension that gave its name to this blog. Unsearch is an extension for the Google Chrome browser that allows to search on Google without leaving traces on Google Search logs or on Google Web Search History. Normally, your searches on Google are recorded and logged with your IP address and cookies. While one can manage his web search history through this interface, it is not possible to manage Google search logs.

Motivations

Analyzing Google Log retention policies we found out that, even after anonymization, some pieces of information in Google search logs might lead to user identification ( for further information, see our paper). When you use Unsearch all pieces of information are deleted from Google servers within 15 days.

Also, one may not want to have all his searches recorded in his web search history. While it is possible to log out or to delete entries from Google Web Search History, I prefer to have the possibility to do ‘off the record’ searches directly on the search page. Especially now that the ‘Log-out’ button is one additional click away and that we have only three seconds before the search is recorded.

Paradoxically, with the new navigation bar, I find it more difficult to notice when I’m not logged into my account. Putting the risk of pseudonym usurpation aside, the account information is – in my opinion – less visible. That’s problematic because I can not remove searches that I did from someone else account.

How it works

When you type keywords in Google Search bar, you get Google Instant results but your query won’t be logged unless you click on the page or remain inactive for three seconds (moredetails).

When you click on Unsearch, it removes the keywords you typed in the search box (so they will not be recorded), but before that, it copies the Google Instant result and pasts it in another tab where your interactions are not monitored: you can browse the results without Google noticing (redirects are removed).

Because you never clicked on ‘Search’, Google won’t log your query and it won’t appear in your web search history either. And since you’re logged into your Google account, you’ll still get personalized search results. This approach is somehow complementary to TrackMeNot which lets user shape their search profile without issuing queries.

Shortcomings

Because Unsearch is based on Google Instant, this feature must be turned on for Unsearch to work. Furthermore, you have to click on Unsearch within three seconds or Google will log the query as a normal search. I tried to find a fix (like adding and removing space in the search bar) but I’m looking for a good solution.

In fact, the main drawback is that Unsearch takes advantage of Google Instant log retention policy. Should this policy change, Unsearch would no longer prevent Google from logging searches. Such change is very unlikely as Google never extended its log retention period or made its ‘anonymizing’ process less effective.

Furthermore, even if this policy is changed, countermeasures exist to prevent Google from logging most of the queries in their entirety (see some possible solution in Unsearch Presentation (.ppt) ).