Snooping on Your Online Searches. SAN DIEGO -- America Online took a lot of heat recently for disclosing what hundreds of thousands of AOL users had searched for online, but the truth is that stealing search results from any Internet user is well within the reach of all Web site owners, according to research published this week.
Atlanta-based security vendor SPI Dynamics released a white paper showing just how easy it is for a Web site owner to mine the recent search queries of anyone visiting the site just by using fairly simple Javascript code.
Javascript is a very powerful cross-platform programming language deployed on millions of Web sites, but it can also be an incredibly invasive tool in the hands of bad guys, as research presented at this year's Black Hat hacker conference made painfully clear.
Basing much of its research on that Black Hat talk, SPI Dynamics found that it is fairly easy for a Web site to use Javascript to check whether a visitor recently searched for a pre-defined list of phrases and/or words. To see this concept in action, navigate to Google.com and then run a search for a word or phrase. Then visit SPI Dynamics' proof-of-concept page, and type in the exact same word or phrase you entered at Google. The SPI page should return the same result you searched for in Google.
This exploit is somewhat limited, in that it requires the snooping Web site to establish a Web page with Javascript code that is already set up to mine a pre-defined set of search terms. But consider how powerful such a tool could be in the hands of a major online retailer, which might want to serve you ads for certain types of products based on the products you've been searching for online. More insidiously, consider a government Web site that queries whether you've searched for certain terms that might make you a target for further investigation, such as "porn," "bomb making," or certain types of illicit drugs.
There are plenty of permutations and different scary scenarios for this type of attack. And this exploit is not limited to Google, as a review of the source page for SPI's exploit shows. In theory, a Web site could use Javascript to query all kinds of information the user enters into a text form field or search engine.
In my experience, turning Javascript off in Internet Explorer tends to lead to kludgy results when browsing many sites, but I've come to love the "noscript" browser plugin or extension for Firefox, which blocks all Javascript by default and lets you decide which sites you trust to allow Javascript code. Obviously, that extension is not a foolproof approach, as even a site that you've marked safe for Javascript in Firefox could turn around and later use the code to probe your search results (or worse), but it's better than nothing. [Security Fix]
12:37:17 AM  PermaLink /
|
