Proceedings of the 2007 ACM workshop on Privacy in electronic society
Private information disclosure from web searches
PETS'10 Proceedings of the 10th international conference on Privacy enhancing technologies
Proceedings of the 14th annual ACM SIGITE conference on Information technology education
A Virtual Environment for Teaching Technical Aspects of Privacy
Proceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference
| Hi-index | 0.00 |
With the success of Web applications, most of our data is now stored on various third-party servers where they are processed to deliver personalized services. Naturally, we must be authenticated to access this personal information, but the use of personalized services only restricted by identification could indirectly and silently leak sensitive data. We analyzed Google Web Search access mechanisms and found that the current policy applied to session cookies could be used to retrieve users' personal data. We describe two attack schemes based on the Google's "SID cookie". First, we show that it permits a session fixation attack in which the victim's searches are recorded in the attacker's Google Web Search History. The second attack leverages the search personalization (based on the same SID cookie) to retrieve a part of the victim's click history and even some of her contacts. We implemented a proof of concept of the latter attack on the Firefox Web browser and conducted an experiment with ten volunteers. Thanks to this prototype we were able to recover up to 80% of the user's search click history.