Mining Browsing History With Google Cookie Data

mikejuk writes "Recent research reveals details on how Google's SID cookie can be used to discover what websites a user has visited. In principle, the cookie is a low security risk because it doesn't allow acess to any data without authentication — thus it is sometimes transmitted in the clear and easy to intercept. With a little help from Google Search History and the 'Visited Pages' filter, researchers were able to list up to 80% of the pages visited by volunteer victims. Throw into the mix the 'social' filter and you can discover a lot more."

Google

[ge7]

It's good people are finally starting to see how abusive Google's practices are. Both intentional and unintentional, like this one. This should show that Google shouldn't even try to do datamining like this as it can be used maliciously. Either by a rogue Google employee or other people.

Re:

[jazman_777]

Google's slogan "Don't Be Evil" isn't the same as "Don't Do Evil".

Re:

[MichaelKristopeit355]

Google shouldn't even try to do datamining...

i'm sure the web will just index itself.

Really?

[Kamiza Ikioi]

Cookies are now abusive? Google has been leading the way in terms of always on HTTPS, a browser that includes an easy to use incognito mode ahead of other major browsers, and clear and easy ways to view your history (which is default off, iiirc), clear it, retrieve all your Google saved data such as pics, etc.

Their really intrusive services, like Latitude are completely optional and even when turned on are always defaulted to safe settings. Even their picture search is default to avoid pornography for worr

Compare what?

[Anonymous Coward]

Compare this to just about any other leading tech company like Facebook or Microsoft.

I often do, which is why I continue to try to talk sense into deranged dorks who insist Google can do no wrong.

They're doing the same things that all the 'evil' companies out there do, you nerds.

Re:Compare what?

[LordLimecat]

Yes, they totally crack down on opensource and lead the way with EEE....

Except for when theyre hosting FOSS projects on google code.

And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).

And donating massive amounts of money to Mozilla foundation.

But other than that, yea, linux geeks unite against the monster that is Google.

Re:

[ge7]

And donating massive amounts of money to Mozilla foundation.

Wait, what? They aren't donating anything. They're paying Mozilla to include Google as the default search in Firefox and paying commissions on ad clicks made from said search box. Donations.. sheesh Google really has made nerds completely blind to truth.

Re:

[CharlyFoxtrot]

And contributing massive amounts to them (HTML5 standards, WebM, Chromium, Android, Wave {which was a completely open protocol}).

HTML5: created by the WHATWG [wikipedia.org]. "WHATWG was founded by individuals from Apple, the Mozilla Foundation and Opera Software in 2004"

Chromium: built on Webkit, created by Apple from the original khtml base.

Re:

[LordLimecat]

Webkit-- built on a compiled language built by someone else entirely.

What is your point?

Does google know it's *You* ?

[Anonymous Coward]

Or does google just know that somebody left left x website and went to y website?

To me, there is very big difference.

Comparing Google to Microsoft

[walterbyrd]

Is like comparing a jay-walker to a serial killer.

MS is every bit as bad, if not worse, than google when it comes to privacy issues. But what about massive patent trolling? I don't see google doing that. What about outright lying to the US DoJ in video taped testimony? What about the letters from dead people campaign? What about financing the scox-scam? What about bribing officials, not to mention many other irregularities, in the OOXML ISO scandle? What about faking the results of supposedly independent p

Re:

[jc42]

Everything we use can be theoretically used maliciously, such as BitTorrent (pirating), Instant Messaging/Chat (pedophiles), Social Networking (rioting), etc.

This isn't just theoretical. Not long ago, I was among a crowd of probably several hundred people who got Facebook and Twitter messages alerting us to a gathering at a local square that's a transport and commercial hub (Davis Square in Somerville, Massachusetts). At least several dozen of us grabbed our tools and descended on the square at the appointed time, and organized an unscheduled contra dance out in the open. I took along my accordion, if you can imagine! The "cell" member that sent me the mess

Re:

[Anonymous Coward]

BS. TFA assumes that HTTPS isn't enforced on *.google.com. So they do a MITM attack by masquerading as Google.com. Consider yourself lucky if the worst that happens is history retrieval. !news

Re:

[LordLimecat]

Wait, so if a potential vulnerability in Google's cookie means theyre abusive, does that mean that the attacks on AES256 (due to design flaws) mean the NIST is abusive and doesnt care about your privacy?

Or is it possible that calling google evil and malicious in this instance is incorrect and irrelevant to the real issues (such as what are the implications, how can we protect ourselves, and whether Google needs to take measures to better protect the cookies)?

Re:

[RoLi]

Compared to Facebook, that's pretty harmless.

The "Like" button reveals to facebook every website you visit:
http://in-other-news.com/2011/What_Facebooks_Like_buttons_reveal [in-other-news.com]

And facebook even tries to ban workarounds that prevent their buttons from sending data without being clicked:
http://www.heise.de/newsticker/meldung/Facebook-beschwert-sich-ueber-datenschutzfreundlichen-2-Klick-Button-2-Update-1335658.html [heise.de]

Re:

[Lunaritian]

I wanted to use Facebook without Facebook knowing what other sites I visit, and the solution is quite simple. I use Chromium for Facebook only, and for other surfing I use Firefox with NoScript which I've set to block anything Facebook-related.

Interesting

[Mensa Babe]

While leaking browsing history is nothing new [didyouwatchporn.com] in principle, this time it is the service whom you trust with your history that is actively broadcasting your browsing habits in the form of a cookie. It should be at least marked as Secure and used only in encrypted connections. I wonder why Google is using an HTTP cookie to store information that could be stored in many ways that seem much better suited for that - from the database backend to HTML5 web storage. Anyone knows why did Google use an HTTP cookie fo

Re:

[vux984]

from the database backend

Because the http cookie completely trivial to set up and completely free too where as the database backend would need well.. a database back end. Which is neither trivial nor free, even for google.

to HTML5 web storage

How many people are still not using HTML5 browsers?

Re:

[jc42]

How many people are still not using HTML5 browsers?

Or, for that matter, how many people even have a browser that doesn't understand HTML5?

A few months ago, while testing some HTML5 stuff (canvases, etc.), I got curious about how many browsers I could find that did/didn't handle it. I have an even dozen browsers on my Macbook, half a dozen on my two linux boxes (and wonder where I can find more), several on a FreeBSD box that I have an account on, two on my G1 phone (the builtin Browser and Opera Mini), plus the browser on my wife's iPhone. I tested my

Re:Interesting

[Dahamma]

The SID is just Google's "session ID", it doesn't contain browsing data itself. They were just hijacking the session id and using it in Google searches, then looking at the results to try to determine a user's search history based on what Google sent back.

Stealing someone's session cookie and then using it to get information about the victim? This is *definitely* nothing new, and I'm sure there are tons of other sites vulnerable to the same attack...

Re:

[AmiMoJo]

Another reason why HTTPS should always be enabled. Potty that seems to have been missed in TFA.

Re:

[Anonymous Coward]

You can set *.google com to always use SSL using noscript. https-anywhere/everywhere/whatever they call it probably won't redirect literally everything, since some google services will break if forced to use SSL (no iGoogle). I actually use privoxy with a rule like this:

{ +redirect{s@http://@https://@i} }
.google.com

Then for services that break, I allow http, but without cookies:

{ -redirect +crunch-all-cookies }

cache.pack.google.com/edgedl/chrome

www.google.com/chrome

It takes some work, and doesn't work perfectly, but I'm pretty sure I haven't sent a cookie to google in the clear in at least a year.

With privoxy and iptables transparently inj

Firefox will dispose of all cookies on close

[sl4shd0rk]

Under privacy settings
    Keep Until: I close Firefox

Or does this not get rid of the google cookie?

Re:

[Frosty Piss]

Keep Until: I close Firefox

Sorry, it's way too much to ask people to take even the smallest responsibility for their own privacy.

Re:

[edxwelch]

Have you specifically enabled google history? If not then there is nothing to leak.

Re:

[jenningsthecat]

Have you specifically enabled google history? If not then there is nothing to leak.

People like you who have Google accounts tend to forget about those of us who choose NOT to have anything to do with Google beyond using their search engine. Because I don't subscribe to Gmail or any other Google services, I have to turn search history off regularly - I still haven't figured out when and how Google decides to silently 'opt me back in' to this odious 'feature', and there's no indication that it's turned on, so if I forget to check, then my history is being logged and my search results are ge

Visual DNA

[mikael]

Has anyone heard of Visual DNA?

I was visiting a website, clicked on a sub-link and the browser timed out. Instead I got a Java-Script link to a Visual-DNA script. Looked at the website, and it looked like one of those freaky advertising agencies that tracks everything:

Visual DNA [visualdna.com]

BEvil Cookies?

[BoRegardless]

Comes to mind.