Personalization is a key part of Internet search, providing more relevant results and gaining loyal customers in the process. But new research highlights the privacy risks that this kind of personalization can bring. A team of European researchers, working with a researcher from the University of California, Irvine, found that they were able to hijack Google’s personalized search suggestions to reconstruct users’ Web search histories.
Google has plugged most of the holes identified in the research, but the researchers say that other personalized services are likely to have similar vulnerabilities. “The goal of this project was to show that personalized services are very dangerous in terms of privacy because they can leak information,” says Claude Castelluccia, a senior research scientist at the French National Institute for Research in Computer Science and Control, who was involved with the work. The work will be presented this summer at the Privacy Enhancing Technologies Symposium in Berlin, Germany.
The researchers got hold of personal information by taking advantage of the fact that Google uses two different protocols to communicate with its users’ browsers. Google protects sensitive information, such as passwords, by using a protocol called “https” that encrypts the data as it’s communicated. Other times, when dealing with search queries for example, Google uses the ordinary “http” protocol, which sends information back and forth in the clear. The researchers say this mixed design can inadvertently reveal information.
Google offers a variety of Web services, including Gmail, Google Docs, and Google Calendar. A less well-known service is Google Web History, which records searches made by a user while she is signed in to her Google Account. At the time the researchers were investigating it, Web History was also the source of personalized suggestions that Google offered users on its search page.
The researchers were able to get access to users’ Web History by intercepting cookies–files stored on a person’s computer that hold useful bits of information such as authentication credentials or the contents of a shopping cart. For many services, such as Gmail, this information is encrypted before it is sent. At the time, Web History sent its cookies in the clear. By eavesdropping on an unsecured network, such as a public Wi-Fi hotspot, an attacker can intercept Web cookies. The researchers determined that intercepted Web History cookies could provide access to that user’s Web History account.