Snoop Onto Them As They Snoop Onto Us
This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. Let's see how. But first, for those who don't know what the search history is, here is a short excerpt from the service homepage:
VIEW AND MANAGE YOUR WEB ACTIVITY - You know that great web site you saw online and now can't find? From now on, you can. With Web History, you can view and search across the full text of the pages you've visited, including Google searches, web pages, images, videos and news stories. You can also manage your web activity and remove items from your web history at any time.
GET THE SEARCH RESULTS MOST RELEVANT TO YOU - Web History helps deliver more personalized search results based on what you've searched for on Google and which sites you've visited. You might not notice a big impact on your search results early on, but they should steadily improve over time as you use Web History.
FOLLOW INTERESTING TRENDS IN YOUR WEB ACTIVITY - Which sites do you visit frequently? How many searches did you do between 10 a.m. and 2 p.m.? Web History can tell you about these and other interesting trends on your web activity.
The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface, yet.
Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after.
Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information can be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them:
http://username:[email protected]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=**[query]**&output=rss.
Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed.
the point that I am try to make is that the attacker doesn't need to have access to your computer anymore. The data is available online 24/7. It is a lot easier to access Google Feed then some computer behind some obscured and poorly configured NATed network.Moreover, just to add here, attackers can access several people's profiles easily. And no tracks are left behind.
It is enabled by default!How about that? check this link Google WebSearch is just one of the many services that offer feed export. Pretty much everything else has that option too and can be accessed through basic auth. I know that this is an obstacle. However, keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it is OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger.
keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it is OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger.
the real danger is that if someone has your account details, they could potentially become your invisible stalker....but if they have your account details, they can log read/write your email as well. This seems little different from "root on your system can install software that can monitor all your activies!" - yeah, password auth is crap - we know that...