short-paper

Cookie-based privacy issues on google services

Authors:

Vincent Toubiana,

Vincent Verdot,

Benoit ChristopheAuthors Info & Claims

CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

Pages 141 - 148

https://doi.org/10.1145/2133601.2133619

Published: 07 February 2012 Publication History

Get Access

Abstract

With the success of Web applications, most of our data is now stored on various third-party servers where they are processed to deliver personalized services. Naturally, we must be authenticated to access this personal information, but the use of personalized services only restricted by identification could indirectly and silently leak sensitive data. We analyzed Google Web Search access mechanisms and found that the current policy applied to session cookies could be used to retrieve users' personal data. We describe two attack schemes based on the Google's "SID cookie". First, we show that it permits a session fixation attack in which the victim's searches are recorded in the attacker's Google Web Search History. The second attack leverages the search personalization (based on the same SID cookie) to retrieve a part of the victim's click history and even some of her contacts. We implemented a proof of concept of the latter attack on the Firefox Web browser and conducted an experiment with ten volunteers. Thanks to this prototype we were able to recover up to 80% of the user's search click history.

References

[1]

Eric Butler. Firesheep, 2010. http://codebutler.com/firesheep.

Google Scholar

[2]

Claude Castelluccia, Emiliano De Cristofaro, and Daniele Perito. Private information disclosure from web searches. In Proceedings of the 10th international conference on Privacy enhancing technologies, PETS'10, pages 38--55, Berlin, Heidelberg, 2010. Springer-Verlag.

Digital Library

Google Scholar

[3]

Christopher W. Clifton and Mummoorthy Murugesan. Providing privacy through plausibly deniable search. April 2009.

Google Scholar

[4]

Electronic Frontier Foundation. Https everywhere. https://www.eff.org/https-everywhere.

Google Scholar

[5]

Daniel C. Howe and Helen Nissenbaum. Trackmenot: resisting surveillance in web search. In I. Kerr, C. Lucock, V. Steeves (Eds.), Lessons from the Identity Trail: Privacy, Anonymity and Identity in a Networked Society, pages 409--428, Oxford UK, 2009. Oxford University Press.

Google Scholar

[6]

A. Solanas J. Domingo-Ferrer and J. Castelli-Roca. Preserving user's privacy in web search enginesh(k)-private information retrieval from privacy-uncooperative queryable databases. Online Information Review, 3(4), 2009.

Crossref

Google Scholar

[7]

Andrew Swerdlow Jessica Staddon. Public vs. publicized: Content use trends and privacy expectations, 2011.

Google Scholar

[8]

Mitja Kolsek. Session fixation vulnerability in web-based applications, December 2002. http://www.acrossecurity.com/papers/session_fixation.pdf.

Google Scholar

[9]

Thoughtcrime Labs. Google sharing. http://www.googlesharing.net.

Google Scholar

[10]

Felipe Saint-Jean, Aaron Johnson, Dan Boneh, and Joan Feigenbaum. Private web search. In WPES '07: Proceedings of the 2007 ACM workshop on Privacy in electronic society, pages 84--90, New York, NY, USA, 2007. ACM.

Digital Library

Google Scholar

[11]

TMN Team. Unsearch. https://chrome.google.com/webstore/detail/jojanedhfpmmjlkakmkhkgalbaokiphp.

Google Scholar

[12]

Alma Whitten. The freedom to be who you want to be..., February 2011. http://googlepublicpolicy.blogspot.com/2011/02/freedom-to-be-who-you-want-to-be.html.

Google Scholar

Cited By

View all

Govindaraj JVerma RGupta G(2016)Analyzing Mobile Device Ads to Identify UsersAdvances in Digital Forensics XII10.1007/978-3-319-46279-0_6(107-126)Online publication date: 20-Sep-2016
https://doi.org/10.1007/978-3-319-46279-0_6
Jung YStratos KCarloni LGangemi ALeonardi SPanconesi A(2015)LN-AnnoteProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741633(538-548)Online publication date: 18-May-2015
https://dl.acm.org/doi/10.1145/2736277.2741633
Peltsverger SZheng GWhitman MZafar H(2013)A Virtual Environment for Teaching Technical Aspects of PrivacyProceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference10.1145/2528908.2528912(49-52)Online publication date: 12-Oct-2013
https://dl.acm.org/doi/10.1145/2528908.2528912
Show More Cited By

Index Terms

Cookie-based privacy issues on google services
1. Security and privacy
  1. Database and storage security
2. Theory of computation
  1. Theory and algorithms for application domains
    1. Database theory
      1. Theory of database privacy and security

Recommendations

On the Privacy Practices of Just Plain Sites
WPES '15: Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society

In addition to visiting popular sites such as Facebook and Google, web users often visit more modest sites, such as those operated by bloggers, or by local organizations such as schools. Such sites, which we call "Just Plain Sites" (JPSs), are likely to ...
Google Search Engine: Seo Tools You Need to Explode Your Website Traffic - Google Seo, Google Ranking
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...

Comments

Information & Contributors

Information

Published In

CODASPY '12: Proceedings of the second ACM conference on Data and Application Security and Privacy

February 2012

338 pages

ISBN:9781450310918

DOI:10.1145/2133601

General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chair:
Ravi Sandhu
University of Texas at San Antonio, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 February 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

information leakage

Qualifiers

Short-paper

Conference

CODASPY'12

Sponsor:

SIGSAC

CODASPY'12: Second ACM Conference on Data and Application Security and Privacy

February 7 - 9, 2012

Texas, San Antonio, USA

Acceptance Rates

CODASPY '12 Paper Acceptance Rate 21 of 113 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
626
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)3

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Govindaraj JVerma RGupta G(2016)Analyzing Mobile Device Ads to Identify UsersAdvances in Digital Forensics XII10.1007/978-3-319-46279-0_6(107-126)Online publication date: 20-Sep-2016
https://doi.org/10.1007/978-3-319-46279-0_6
Jung YStratos KCarloni LGangemi ALeonardi SPanconesi A(2015)LN-AnnoteProceedings of the 24th International Conference on World Wide Web10.1145/2736277.2741633(538-548)Online publication date: 18-May-2015
https://dl.acm.org/doi/10.1145/2736277.2741633
Peltsverger SZheng GWhitman MZafar H(2013)A Virtual Environment for Teaching Technical Aspects of PrivacyProceedings of the 2013 on InfoSecCD '13: Information Security Curriculum Development Conference10.1145/2528908.2528912(49-52)Online publication date: 12-Oct-2013
https://dl.acm.org/doi/10.1145/2528908.2528912
Peltsverger SZheng GArmitage WFriedman RBaker K(2013)Hands-on privacy labsProceedings of the 14th annual ACM SIGITE conference on Information technology education10.1145/2512276.2512316(137-138)Online publication date: 2-Oct-2013
https://dl.acm.org/doi/10.1145/2512276.2512316

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

On the Privacy Practices of Just Plain Sites

Google Search Engine: Seo Tools You Need to Explode Your Website Traffic - Google Seo, Google Ranking

Scriptless attacks: Stealing more pie without touching the sill