The inference problem: a survey
ACM SIGKDD Explorations Newsletter
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
An honest man has nothing to fear: user perceptions on web-based information disclosure
Proceedings of the 3rd symposium on Usable privacy and security
Googling Security: How Much Does Google Know About You?
Googling Security: How Much Does Google Know About You?
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
On the effectiveness of anonymizing networks for web search privacy
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Cookie-based privacy issues on google services
Proceedings of the second ACM conference on Data and Application Security and Privacy
Enforced community standards for research on users of the tor anonymity network
FC'11 Proceedings of the 2011 international conference on Financial Cryptography and Data Security
Betrayed by your ads!: reconstructing user profiles from targeted ads
PETS'12 Proceedings of the 12th international conference on Privacy Enhancing Technologies
k-indistinguishable traffic padding in web applications
PETS'12 Proceedings of the 12th international conference on Privacy Enhancing Technologies
Appinspect: large-scale evaluation of social networking apps
Proceedings of the first ACM conference on Online social networks
Web search query privacy: Evaluating query obfuscation and anonymizing networks
Journal of Computer Security
Hi-index | 0.00 |
As the amount of personal information stored at remote service providers increases, so does the danger of data theft. When connections to remote services are made in the clear and authenticated sessions are kept using HTTP cookies, intercepting private traffic becomes easy to achieve. In this paper, we focus on the world largest service provider - Google. First, with the exception of a few services only accessible over HTTPS (e.g., Gmail), we find that many Google services are vulnerable to simple session hijacking attacks. Next, we present the Historiographer, a novel attack that reconstructs the web search history of Google users - Google's Web History - even though this service is supposedly protected from session hijacking by a stricter access control policy. The Historiographer uses a reconstruction technique inferring search history from the personalized suggestions fed by the Google search engine. We validate our technique through experiments conducted over real network traffic and discuss possible countermeasures. Our attacks are general and not only specific to Google, and highlight privacy concerns of mixed architectures mixing secure and insecure connections.