Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mining Browsing History With Google Cookie Data

Soulskill posted about 3 years ago | from the is-it-the-90s-again dept.

Google 40

mikejuk writes "Recent research reveals details on how Google's SID cookie can be used to discover what websites a user has visited. In principle, the cookie is a low security risk because it doesn't allow acess to any data without authentication — thus it is sometimes transmitted in the clear and easy to intercept. With a little help from Google Search History and the 'Visited Pages' filter, researchers were able to list up to 80% of the pages visited by volunteer victims. Throw into the mix the 'social' filter and you can discover a lot more."

cancel ×

40 comments

Sorry! There are no comments related to the filter you selected.

Paranoia sometimes pays (-1)

Anonymous Coward | about 3 years ago | (#37290506)

One of the first "features" that I disabled from my Google account was Web-Search History.

I've never been more satisfied with that decision than I am now.

Re:Paranoia sometimes pays (0)

Anonymous Coward | about 3 years ago | (#37301646)

One of the first "features" that I disabled from my Google account was Web-Search History.

I've never been more satisfied with that decision than I am now.

One of the first "features" that I disabled from my Google account was logging into it in the first place. Works like a charm.

Google (2)

ge7 (2194648) | about 3 years ago | (#37290508)

It's good people are finally starting to see how abusive Google's practices are. Both intentional and unintentional, like this one. This should show that Google shouldn't even try to do datamining like this as it can be used maliciously. Either by a rogue Google employee or other people.

Re:Google (2)

jazman_777 (44742) | about 3 years ago | (#37290600)

Google's slogan "Don't Be Evil" isn't the same as "Don't Do Evil".

Re:Google (1)

MichaelKristopeit353 (1968162) | about 3 years ago | (#37290724)

your arbitrary phrase "Don't Do Evil" isn't the same as "Don't Pretend Evil Doesn't Exist And Utilizes Inherently Non-Evil Tools To Further Itself"

you're an idiot.

Re:Google (5, Insightful)

MichaelKristopeit355 (1968164) | about 3 years ago | (#37290744)

Google shouldn't even try to do datamining...

i'm sure the web will just index itself.

Really? (2)

Kamiza Ikioi (893310) | about 3 years ago | (#37290790)

Cookies are now abusive? Google has been leading the way in terms of always on HTTPS, a browser that includes an easy to use incognito mode ahead of other major browsers, and clear and easy ways to view your history (which is default off, iiirc), clear it, retrieve all your Google saved data such as pics, etc.

Their really intrusive services, like Latitude are completely optional and even when turned on are always defaulted to safe settings. Even their picture search is default to avoid pornography for worried parents.

Compare this to just about any other leading tech company like Facebook or Microsoft. And statements like "Google shouldn't even try to do datamining like this as it can be used maliciously" shows a lack of understanding about what Google's business is, and tech in general.

Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.

Compare what? (1)

Anonymous Coward | about 3 years ago | (#37290856)

Compare this to just about any other leading tech company like Facebook or Microsoft.

I often do, which is why I continue to try to talk sense into deranged dorks who insist Google can do no wrong.

They're doing the same things that all the 'evil' companies out there do, you nerds.

Re:Compare what? (3, Interesting)

LordLimecat (1103839) | about 3 years ago | (#37291076)

Yes, they totally crack down on opensource and lead the way with EEE....

Except for when theyre hosting FOSS projects on google code.

And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).

And donating massive amounts of money to Mozilla foundation.

But other than that, yea, linux geeks unite against the monster that is Google.

Re:Compare what? (2)

ge7 (2194648) | about 3 years ago | (#37291174)

And donating massive amounts of money to Mozilla foundation.

Wait, what? They aren't donating anything. They're paying Mozilla to include Google as the default search in Firefox and paying commissions on ad clicks made from said search box. Donations.. sheesh Google really has made nerds completely blind to truth.

Re:Compare what? (2)

CharlyFoxtrot (1607527) | about 3 years ago | (#37292890)

And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).

HTML5: created by the WHATWG [wikipedia.org] . "WHATWG was founded by individuals from Apple, the Mozilla Foundation and Opera Software in 2004"

Chromium: built on Webkit, created by Apple from the original khtml base.

Re:Compare what? (1)

LordLimecat (1103839) | about 3 years ago | (#37298496)

Webkit-- built on a compiled language built by someone else entirely.

What is your point?

Re:Compare what? (0)

Anonymous Coward | about 3 years ago | (#37300570)

Did you actually read the rest of that paragraph in the HTML5 wikipedia article?

Does google know it's *You* ? (1)

Anonymous Coward | about 3 years ago | (#37292668)

Or does google just know that somebody left left x website and went to y website?

To me, there is very big difference.

Comparing Google to Microsoft (2)

walterbyrd (182728) | about 3 years ago | (#37292758)

Is like comparing a jay-walker to a serial killer.

MS is every bit as bad, if not worse, than google when it comes to privacy issues. But what about massive patent trolling? I don't see google doing that. What about outright lying to the US DoJ in video taped testimony? What about the letters from dead people campaign? What about financing the scox-scam? What about bribing officials, not to mention many other irregularities, in the OOXML ISO scandle? What about faking the results of supposedly independent product comparison's? What about owning "think tanks" that create favorable reports about your company's point of view?

Re:Really? (2)

jc42 (318812) | about 3 years ago | (#37293820)

Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.

This isn't just theoretical. Not long ago, I was among a crowd of probably several hundred people who got Facebook and Twitter messages alerting us to a gathering at a local square that's a transport and commercial hub (Davis Square in Somerville, Massachusetts). At least several dozen of us grabbed our tools and descended on the square at the appointed time, and organized an unscheduled contra dance out in the open. I took along my accordion, if you can imagine! The "cell" member that sent me the message showed up with her fiddle. Another fellow even brought a string bass. Some passers-by gave us strange, puzzled, or disapproving looks. Others joined in.

This is the sort of thing that our citizenry can be enticed into by this newfangled Social Networking and Instant Messaging stuff. I can easily believe all the other sorts of social things that it's leading to.

So I'd say that it's good that we're warning readers about the consequences of such communication technologies. And participants should be aware that the central message passing sites on the Internet almost certainly have a record of events such as this one, though they may not (yet) know exactly which of the message recipients actually participated. But the fact that we're on the organizers lists tells organizations like Facebook and Twitter that we're associated with such activities.

I do wonder whether they know I have an accordion (and I know how to use it). I should probably assume that they do know this.

Re:Google (1)

Anonymous Coward | about 3 years ago | (#37290922)

BS. TFA assumes that HTTPS isn't enforced on *.google.com. So they do a MITM attack by masquerading as Google.com. Consider yourself lucky if the worst that happens is history retrieval. !news

Re:Google (2)

LordLimecat (1103839) | about 3 years ago | (#37291046)

Wait, so if a potential vulnerability in Google's cookie means theyre abusive, does that mean that the attacks on AES256 (due to design flaws) mean the NIST is abusive and doesnt care about your privacy?

Or is it possible that calling google evil and malicious in this instance is incorrect and irrelevant to the real issues (such as what are the implications, how can we protect ourselves, and whether Google needs to take measures to better protect the cookies)?

Re:Google (0)

Anonymous Coward | about 3 years ago | (#37291458)

It's abusive because Google is putting users at risk by storing that data.

Browsing history storage and behavioral metrics are inherently abusive except where subject to opt-in with truly informed consent.

Re:Google (2)

RoLi (141856) | about 3 years ago | (#37291048)

Compared to Facebook, that's pretty harmless.

The "Like" button reveals to facebook every website you visit:
http://in-other-news.com/2011/What_Facebooks_Like_buttons_reveal [in-other-news.com]

And facebook even tries to ban workarounds that prevent their buttons from sending data without being clicked:
http://www.heise.de/newsticker/meldung/Facebook-beschwert-sich-ueber-datenschutzfreundlichen-2-Klick-Button-2-Update-1335658.html [heise.de]

Re:Google (1)

Lunaritian (2018246) | about 3 years ago | (#37291540)

I wanted to use Facebook without Facebook knowing what other sites I visit, and the solution is quite simple. I use Chromium for Facebook only, and for other surfing I use Firefox with NoScript which I've set to block anything Facebook-related.

Interesting (2)

Mensa Babe (675349) | about 3 years ago | (#37290522)

While leaking browsing history is nothing new [didyouwatchporn.com] in principle, this time it is the service whom you trust with your history that is actively broadcasting your browsing habits in the form of a cookie. It should be at least marked as Secure and used only in encrypted connections. I wonder why Google is using an HTTP cookie to store information that could be stored in many ways that seem much better suited for that - from the database backend to HTML5 web storage. Anyone knows why did Google use an HTTP cookie for that? Is it more reliable or more efficient than the web storage or a database?

Re:Interesting (2)

vux984 (928602) | about 3 years ago | (#37290756)

from the database backend

Because the http cookie completely trivial to set up and completely free too where as the database backend would need well.. a database back end. Which is neither trivial nor free, even for google.

to HTML5 web storage

How many people are still not using HTML5 browsers?

Re:Interesting (2)

jc42 (318812) | about 3 years ago | (#37293920)

How many people are still not using HTML5 browsers?

Or, for that matter, how many people even have a browser that doesn't understand HTML5?

A few months ago, while testing some HTML5 stuff (canvases, etc.), I got curious about how many browsers I could find that did/didn't handle it. I have an even dozen browsers on my Macbook, half a dozen on my two linux boxes (and wonder where I can find more), several on a FreeBSD box that I have an account on, two on my G1 phone (the builtin Browser and Opera Mini), plus the browser on my wife's iPhone. I tested my HTML5 against all of them, and they all handled it without problems.

So I don't have any non-HTML5 browsers in this collection. I didn't consciously choose to do this. So I wonder how many non-HTML5 browsers are actually available.

Actually, my wife has an iMac with a Windows (NT) VM installed, and it has IE6. I should try it; I'm guessing that it doesn't handle HTML5. But I could be wrong again; it might understand HTML5 but intentionally render parts of it incorrectly.

Re:Interesting (3, Insightful)

Dahamma (304068) | about 3 years ago | (#37290876)

The SID is just Google's "session ID", it doesn't contain browsing data itself. They were just hijacking the session id and using it in Google searches, then looking at the results to try to determine a user's search history based on what Google sent back.

Stealing someone's session cookie and then using it to get information about the victim? This is *definitely* nothing new, and I'm sure there are tons of other sites vulnerable to the same attack...

Re:Interesting (2)

AmiMoJo (196126) | about 3 years ago | (#37291854)

Another reason why HTTPS should always be enabled. Potty that seems to have been missed in TFA.

WTF I don't even (0)

Anonymous Coward | about 3 years ago | (#37290530)

So is there any easy way to delete Google's SID cookie every couple seconds or so?

Re:WTF I don't even (1)

Anonymous Coward | about 3 years ago | (#37290780)

You can set *.google com to always use SSL using noscript. https-anywhere/everywhere/whatever they call it probably won't redirect literally everything, since some google services will break if forced to use SSL (no iGoogle). I actually use privoxy with a rule like this:

{ +redirect{s@http://@https://@i} }
.google.com

Then for services that break, I allow http, but without cookies:

{ -redirect +crunch-all-cookies }

cache.pack.google.com/edgedl/chrome

www.google.com/chrome

It takes some work, and doesn't work perfectly, but I'm pretty sure I haven't sent a cookie to google in the clear in at least a year.

With privoxy and iptables transparently injecting all network requests into it, you can even force everybody on your network to be fed http 302 redirects to the https version locally. Of course if these redirects happen on insecure wifi, it won't prevent this attack on that level, but would for a snooping ISP. Nothing is perfect, and I run privoxy on my local machine anyway. Just throwing things out there, and hoping someone might subscribe to my newsletter.

A bit misleading... (0)

Anonymous Coward | about 3 years ago | (#37290552)

According to TFA, this only shows sites that were clicked through in search results. While obviously it's still not an optimal experience, it's much better than leaking information on, say, any site you've visited that uses Analytics.

Firefox will dispose of all cookies on close (1)

sl4shd0rk (755837) | about 3 years ago | (#37290768)

Under privacy settings
    Keep Until: I close Firefox

Or does this not get rid of the google cookie?

Re:Firefox will dispose of all cookies on close (1)

Frosty Piss (770223) | about 3 years ago | (#37290852)

Keep Until: I close Firefox

Sorry, it's way too much to ask people to take even the smallest responsibility for their own privacy.

Re:Firefox will dispose of all cookies on close (-1)

Anonymous Coward | about 3 years ago | (#37291078)

I am dehydrated. Do you mind if I take an extralong piss into your mouth? We can do this in a freezer if you like.

Re:Firefox will dispose of all cookies on close (0)

Anonymous Coward | about 3 years ago | (#37291368)

You mean I get to log in again and again and again and again...

Re:Firefox will dispose of all cookies on close (0)

Anonymous Coward | about 3 years ago | (#37302620)

If you check "remember passwords", logging in again is a 2 second activity.

Re:Firefox will dispose of all cookies on close (0)

Anonymous Coward | about 3 years ago | (#37290896)

What if I log into Google, do a search, and then click on one of the results, which happens to be on a data-miner's page? You know, because I *want* the color-coding for my history.

Re:Firefox will dispose of all cookies on close (-1)

Anonymous Coward | about 3 years ago | (#37291196)

Under privacy settings

    Keep Until: I close Firefox

Or does this not get rid of the google cookie?

No, it doesn't. I don't know what trick they use, but deleting browser cookies and Flash cookies don't get rid of the Google "cookie" in Firefox 3.6 on Ubuntu Linux. Google is still able to recognise you if you use any Google product (even if you logged out from Google, closed all pages in the browser, deleted all cookies, deleted browser and Flash cache, deleted browser history, and restarted your computer. Heck, sometimes Google is even able to recognise you, even if you have switched to a different (newly installed) browser after such a procedure, I've even tried to change my language settings, installed plugins and extesniosn and other settings that could identify who I am, but that didn't help. Their ability to recognise me is eerie and they share that knowledge with lots of websites (even web-pages that obviously belong to criminals who try to scam me know my personal name (yes I click on unknown links, being able to follow links is what the web is about)). Using private mode in Firefox or Chromium don't help either, but logging in to a different account in Ubuntu does.

Re:Firefox will dispose of all cookies on close (1)

edxwelch (600979) | about 3 years ago | (#37291680)

Have you specifically enabled google history? If not then there is nothing to leak.

Re:Firefox will dispose of all cookies on close (1)

jenningsthecat (1525947) | about 3 years ago | (#37334506)

Have you specifically enabled google history? If not then there is nothing to leak.

People like you who have Google accounts tend to forget about those of us who choose NOT to have anything to do with Google beyond using their search engine. Because I don't subscribe to Gmail or any other Google services, I have to turn search history off regularly - I still haven't figured out when and how Google decides to silently 'opt me back in' to this odious 'feature', and there's no indication that it's turned on, so if I forget to check, then my history is being logged and my search results are geographically skewed. And don't forget that even if you have a Google account, failing to log into it means that web history is automatically enabled by default and must be turned off manually if you don't want it.

Google is like Bell - I hate it, but there's not much choice but to either use it or choose some equally evil alternative.

Visual DNA (1)

mikael (484) | about 3 years ago | (#37291128)

Has anyone heard of Visual DNA?

I was visiting a website, clicked on a sub-link and the browser timed out. Instead I got a Java-Script link to a Visual-DNA script. Looked at the website, and it looked like one of those freaky advertising agencies that tracks everything:

Visual DNA [visualdna.com]

BEvil Cookies? (1)

BoRegardless (721219) | about 3 years ago | (#37291290)

Comes to mind.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>