MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Stealing Search Engine Queries with JavaScript. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Stealing Search Engine Queries with JavaScript
by Acidus at 7:28 pm EDT, Sep 29, 2006

Short and sweet: I can find out what you have been searching Google for from JavaScript. I can put this JavaScript on any site either because I own it (How much do you trust memestreamas.net?) or because I have a XSS vuln that lets me inject JavaScript in the site.

Think the AOL leakage... only for everyone on the internet.

Some fun use cases:

-HMO’s website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers.

-Advertising networks could gather information about which topics someone is interested based on their search history and use that to enchance their customer databases.

-Government websites could see if a visitor has been searching for bomb-making instructions.

Whitepaper: http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf
Proof of concept: http://www.spidynamics.com/spilabs/js-search/index.html

My name is Billy, and I want to destroy the Intarweb with JavaScript.

RE: Stealing Search Engine Queries with JavaScript
by Catonic at 5:45 pm EDT, Oct 4, 2006

Acidus wrote:
My name is Billy, and I want to destroy the Intarweb with JavaScript.

You May Already Be A Terrorist!

Stealing Search Engine Queries with JavaScript
by Rattle at 9:27 am EDT, Oct 1, 2006

SPI Labs has expanded on existing techniques and discovered a practical method of using JavaScript to detect the search queries a user has entered into arbitrary search engines. As seen with the recent leakage of 36 million search queries made by half a million American Online subscribers, there are enormous privacy concerns when a user’s search queries are made public. All the code needed to steal a user’s search queries is written in JavaScript and uses Cascading Style Sheets (CSS). This code could be embedded into any website either by the website owner or by a malicious third party through a Cross-site Scripting (XSS) attack. There it would harvest information about every visitor to that site. For example, an HMO’s website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers. Advertising networks could gather information about which topics someone is interested based on their search history and use that to echance their customer databases. Government websites could see if a visitor has been searching for bomb-making instructions.

Acidus presented another one of his amazing web hacks at ToorCon this weekend. Javascript is loaded with issues... Here is another one.

Good job Billy.. I seriously love watching you hack shit up.

Update: Unlike the situation in my previous post, there is no vendor involved here. This is a good example of sounding the warning horn.

There is a redundant post from skullaria not displayed in this view.