Create an Account
username: password:
 
  MemeStreams Logo

Stealing Search Engine Queries with JavaScript
search
Home Agent Weblogs Social Network Post Help About

Rattle
Picture of Rattle
Rattle's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Rattle's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
  Music
Business
  Tech Industry
  Telecom Industry
Games
Health and Wellness
Holidays
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
Recreation
  Travel
Local Information
  SF Bay Area
   SF Bay Area News
Science
  Biology
  History
  Nano Tech
  Physics
  Space
Society
  Economics
  Futurism
  International Relations
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Security
Sports
Technology
  Biotechnology
  Computers
   Computer Security
    Cryptography
   Cyber-Culture
   PC Hardware
   Computer Networking
   Macintosh
   Linux
   Software Development
    Open Source Development
    Perl Programming
    PHP Programming
   Spam
   Web Design
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Stealing Search Engine Queries with JavaScript
Topic: Computer Security 9:27 am EDT, Oct  1, 2006

SPI Labs has expanded on existing techniques and discovered a practical method of using JavaScript to detect the search queries a user has entered into arbitrary search engines. As seen with the recent leakage of 36 million search queries made by half a million American Online subscribers, there are enormous privacy concerns when a user’s search queries are made public. All the code needed to steal a user’s search queries is written in JavaScript and uses Cascading Style Sheets (CSS). This code could be embedded into any website either by the website owner or by a malicious third party through a Cross-site Scripting (XSS) attack. There it would harvest information about every visitor to that site. For example, an HMO’s website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers. Advertising networks could gather information about which topics someone is interested based on their search history and use that to echance their customer databases. Government websites could see if a visitor has been searching for bomb-making instructions.

Acidus presented another one of his amazing web hacks at ToorCon this weekend. Javascript is loaded with issues... Here is another one.

Good job Billy.. I seriously love watching you hack shit up.

Update: Unlike the situation in my previous post, there is no vendor involved here. This is a good example of sounding the warning horn.

Stealing Search Engine Queries with JavaScript

Thread [4] - Reply


  
 
Powered By Industrial Memetics		RSS2.0