New browser history exploit could expose user data
A possible new privacy threat has been discovered in the way that web browsers store their history. Researchers at Spi Dynamics claim to have found a way for a website to use a piece of Javascript code to detect a history of web searches performed on popular search engines including Google, without the user’s knowledge.
The Big Brother implications are numerous. Imagine online retailers looking to see which of their competitors you may have shopped with (or at least searched for), an insurance company looking at what medical terms you’ve looked for, or indeed any phisher or spammer getting a better picture of your lifestyle by what you’ve searched for online.
It’s said to work because search engines have their own set way of forming web queries (look in the address bar when you’ve done a Google search and you’ll see) By default, that gets stored in your browser history just like the pages you visit, until it’s automatically or manually cleared.
Vnunet.com has spoken with a representative at security firm Spi Dynamics, who have created a ‘proof of concept’ site that you can use to check if you might be vulnerable to this exploit.
Though the legal status of this is unclear, it does sound very dodgy. Effectively it’s someone snooping on your browser history.
Billy Hoofman of Spi Dynamics said that if a marketer had got hold of the technique, they would be unlikely to disclose its use. Most users would remain unaware of it, as well, as you’d probably have to search the source code and it could conceivably be masked in some way. Maybe we’ll be able to see if it spreads with Google Code.
As Javascript is (in my opinion) fairly flaky across different browsers, I wasn’t surprised to find that the proof of concept didn’t seem to work on any of my Mac browsers (Safari, Firefox or Opera). Slightly worrying was that on one browser it reported that I’d searched for every term I typed in – false positives. Whose to say that this is reliable enough for accurate snooping? Snooping is bad enough, but error-prone snooping? I don’t think so.
It’ll be interesting to see if anything comes of this. For the moment, if you’ve searched for anything sensitive, clear out your browser history. Might be a pain if you like to see what you’ve visited recently, but could maintain some of your privacy.
(Via VNUNet.com)
For the in-depth report, read this excellent PDF
