Snoop Onto Them As They Snoop Onto Us

Sat, 21 Jul 2007 08:47:37 GMT

This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. Let's see how. But first, for those who don't know what the search history is, here is a short excerpt from the service homepage:

VIEW AND MANAGE YOUR WEB ACTIVITY - You know that great web site you saw online and now can't find? From now on, you can. With Web History, you can view and search across the full text of the pages you've visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.

GET THE SEARCH RESULTS MOST RELEVANT TO YOU - Web History helps deliver more personalized search results based on what you've searched for on Google and which sites you've visited. You might not notice a big impact on your search results early on, but they should steadily improve over time as you use Web History.

FOLLOW INTERESTING TRENDS IN YOUR WEB ACTIVITY - Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends on your web activity.

SearchHistory Homepage

The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface, yet.

Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after.

Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information can be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[email protected]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=**[query]**&output=rss.

Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed.

David KierznowskiDavid Kierznowski
pp, the top link is broken champ.
ntpntp
i use http://scroogle.org/scraper.html and i think trackmenot (firefox extension) has some scroogle integration capabilities (although i don't use that) stealing search engine queries is nothing particularly new, and i've always enjoyed http://aolstalker.com
pdppdp
ntp, the Google SearchHistory goes beyond the usual stuff. It records everything. I mean everything. Every query you did and every site that you've accessed from the search result pages. And if you are unlucky enough to have a Google Toolbar, then all your actions will be recorded. :) as I mentioned on FD:
the point that I am try to make is that the attacker doesn't need to have access to your computer anymore. The data is available online 24/7. It is a lot easier to access Google Feed then some computer behind some obscured and poorly configured NATed network.
Moreover, just to add here, attackers can access several people's profiles easily. And no tracks are left behind.
kuza55kuza55
I'm not really convinced towards the usefulness of this - its turned off by default, you can delete the service from here: https://www.google.com/accounts/EditServices and the service is clearly listed in the My Services section of My Account and once its deleted no-one (other than google who obviously keeps the data) can see your previous searches.
pdppdp
kuza55, for sure you can delete the WebHistory, but check this out: It is enabled by default! How about that? check this link Google WebSearch is just one of the many services that offer feed export. Pretty much everything else has that option too and can be accessed through basic auth. I know that this is an obstacle. However, keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it is OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger.
DfcnvtDfcnvt
I just thought of something, You can create a dummies account on google account and set Web History turned on. Have yourself Physical access to any computer and leave that dummies account logged on behind.. You'll have all the history saved information right on that account from whoever else used on that computer.
pdppdp
Dfcnvt, not bad idea. now when I am thinking, you can use the WebHistory for pretty much everything, like a covert channel for a botnet... evil I know. I think might be able to present another presentation in OWASP US, this year. The topic will include things like the one you mentioned.
kuza55kuza55
pdp: Alright, it might be opt-out on the sign up page, but its not enabled for people who already had an account before they added the feature. And it doesn't really seem the kind of feature that people wouldn't opt-out of.
pdppdp
kuza55, please understand that in order for someone to access your WebHistory they need to have your username and password on first place. This means that they can simply enable the feature if it is disabled. As I mentioned before:
keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it is OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger.
imipakimipak
the real danger is that if someone has your account details, they could potentially become your invisible stalker.
...but if they have your account details, they can log read/write your email as well. This seems little different from "root on your system can install software that can monitor all your activies!" - yeah, password auth is crap - we know that...
pdppdp
imipak, sorry I cannot get what you are trying to say. Yes, in order to get the WebHistory you have to have the account credentials and yes, in order to root a system you have to have system access. What's the difference?