An international research team has demonstrated the possibility of hijacking Google services and reconstructing users’ search histories. Firstly, with the exception of a few services that can only be accessed over HTTPs (e.g. Gmail), researchers found that many Google services are still vulnerable to simple session hijacking.
Next they presented the Historiographer, a novel attack that reconstructs the web search histories of Google users, i.e. Google’s Web History, even though such a service is supposedly protected from session hijacking by a stricter access control policy. The Historiographer implements a reconstruction technique that rebuilds the search history based on inferences received from the personalized suggestions fed to it by the Google search engine. The attack was based on the fact that Google’s users receive personalized suggestions for their search queries based on previously searched keywords. The researchers showed that almost one third of monitored users were signed in to their Google accounts, and of those, half had their Web History enabled, thus leaving themselves vulnerable to this type of attack.
Next they presented the Historiographer, a novel attack that reconstructs the web search histories of Google users, i.e. Google’s Web History, even though such a service is supposedly protected from session hijacking by a stricter access control policy. The Historiographer implements a reconstruction technique that rebuilds the search history based on inferences received from the personalized suggestions fed to it by the Google search engine. The attack was based on the fact that Google’s users receive personalized suggestions for their search queries based on previously searched keywords. The researchers showed that almost one third of monitored users were signed in to their Google accounts, and of those, half had their Web History enabled, thus leaving themselves vulnerable to this type of attack. The attacks demonstrated are general and highlight concerns about the privacy of mixed architectures using both secure and insecure connections. The research data was sent to Google and the company has decided to temporarily suspend search suggestions from Search History in addition to offering Google Web History pages over secure protocol HTTPs only.
Next they presented the Historiographer, a novel attack that reconstructs the web search histories of Google users, i.e. Google’s Web History, even though such a service is supposedly protected from session hijacking by a stricter access control policy. The Historiographer implements a reconstruction technique that rebuilds the search history based on inferences received from the personalized suggestions fed to it by the Google search engine. The attack was based on the fact that Google’s users receive personalized suggestions for their search queries based on previously searched keywords. The researchers showed that almost one third of monitored users were signed in to their Google accounts, and of those, half had their Web History enabled, thus leaving themselves vulnerable to this type of attack.
Next they presented the Historiographer, a novel attack that reconstructs the web search histories of Google users, i.e. Google’s Web History, even though such a service is supposedly protected from session hijacking by a stricter access control policy. The Historiographer implements a reconstruction technique that rebuilds the search history based on inferences received from the personalized suggestions fed to it by the Google search engine. The attack was based on the fact that Google’s users receive personalized suggestions for their search queries based on previously searched keywords. The researchers showed that almost one third of monitored users were signed in to their Google accounts, and of those, half had their Web History enabled, thus leaving themselves vulnerable to this type of attack. The attacks demonstrated are general and highlight concerns about the privacy of mixed architectures using both secure and insecure connections. The research data was sent to Google and the company has decided to temporarily suspend search suggestions from Search History in addition to offering Google Web History pages over secure protocol HTTPs only.