Researchers hijack Google's personalized search suggestions to reconstruct users' search histories.
Personalization is a key part of Internet search, providing more relevant results and gaining loyal customers in the process. But new research highlights the privacy risks that this kind of personalization can bring. A team of European researchers, working with a researcher from the University of California, Irvine, found that they were able to hijack Google's personalized search suggestions to reconstruct users' Web search histories.
Google has plugged most of the holes identified in the research, but the researchers say that other personalized services are likely to have similar vulnerabilities. "The goal of this project was to show that personalized services are very dangerous in terms of privacy because they can leak information," says Claude Castelluccia, a senior research scientist at the French National Institute for Research in Computer Science and Control, who was involved with the work. The work will be presented this summer at the Privacy Enhancing Technologies Symposium in Berlin, Germany.
The researchers got hold of personal information by taking advantage of the fact that Google uses two different protocols to communicate with its users' browsers. Google protects sensitive information, such as passwords, by using a protocol called "https" that encrypts the data as it's communicated. Other times, when dealing with search queries for example, Google uses the ordinary "http" protocol, which sends information back and forth in the clear. The researchers say this mixed design can inadvertently reveal information.
Google offers a variety of Web services, including Gmail, Google Docs, and Google Calendar. A less well-known service is Google Web History, which records searches made by a user while she is signed in to her Google Account. At the time the researchers were investigating it, Web History was also the source of personalized suggestions that Google offered users on its search page.
The researchers were able to get access to users' Web History by intercepting cookies--files stored on a person's computer that hold useful bits of information such as authentication credentials or the contents of a shopping cart. For many services, such as Gmail, this information is encrypted before it is sent. At the time, Web History sent its cookies in the clear. By eavesdropping on an unsecured network, such as a public Wi-Fi hotspot, an attacker can intercept Web cookies. The researchers determined that intercepted Web History cookies could provide access to that user's Web History account.
Will European Web users need to "opt in" for every Web cookie?
Google's nascent operating system will be fast and safe. But in return, you'll be asked for your personal data.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
dtutelman
117 Comments
Double trouble
This is particularly scary in light of the Simson Garfinkel article today (http://www.technologyreview.com/web/25116/?nlid=2916). It suggests Google wants ALL our data on its server farms. Won't THAT be an attractive target to hackers.
As a guy who was in an attempted cloud computing development as early as 1977, I'm in no hurry to turn my computer into a netbook. I want to control my data, not outsource it to the cloud.
Reply