Proof of concept code demonstrates how to commit search history theft.
Proof of concept code demonstrates how to commit search history theft.
Security researchers with Spi Dynamics have demonstrated a techniques that exposes the past search queries as well as websites that a user visited to online publishers..
Websites could use the technique to check if a user has researched its products through search engines. An insurance provider for instance could deploy the method to verify if an client applying for life insurance has ordered cigarettes online. It could also allow Amazon to check if users have been shopping with competing stores.
"You can basically determine how loyal of a customer I am and offer me a price break," Billy Hoffman, a lead security researcher with Spi Dynamics told vnunet.com.
Hoffman likened the technique to the publication by AOL of 20 million search queries from 650,000 of its users last August. The 439Mb of data was released as part of a research project and AOL was soon forced to delete the information over privacy concerns.
Although the data couldn't directly be linked to individual users, the New York Times was able to trace back one set of search queries to 62-year-old Thelma Arnold from Lilburn, Georgia.
"The release of the AOL data a few months ago showed that you can learn so much about a person from their search engine queries. Imagine that scary lack of privacy, but for everybody on the internet," said Hoffman.
The URL for each online search query is formed in a standard way and discloses the keywords that the user entered. Webbrowsers store these URLs in a history file, which for among things allows the colour for a previously visited link to look different from a fresh one.
Spi Dynamic's technique looks checks a series of predefined URLs against the URLs in a user's search history through a Javascript application that is embedded on a webpage. The code is executed on the user's system without any noticeable performance interruption.
Most browsers are set to save the history for several days. Firefox by default is configured to save the history for 9 days while Internet Explorer holds on the URLs for 20 days.
Hoffman said that he isn't aware of anyone using the technique to track online user behaviour. But he added that if marketers had figured out the technique, they probably wouldn't disclose their use.
The company isn't certain about the legality of the technique. Although it has obvious privacy implications, the technology is no different from ways that websites today check for a system's screen resolution and installed plugins.
A proof of concept application is available on the Spi Dynamics website. The allows users to verify Google, Yahoo and Icerocket searches.