Proof-of-concept code demonstrates search history 'theft'.
Security researchers at Spi Dynamics have demonstrated a technique that exposes the search queries and web pages that a user has visited.
Websites could use the technique to check whether a user has researched its products through search engines.
An insurance provider, for instance, could verify whether a client applying for life insurance has ordered cigarettes online. It could also allow an online retailer to check whether users have been shopping with competing stores.
"You can basically determine how loyal a customer I am and offer me a price break," Billy Hoffman, a lead security researcher with Spi Dynamics, told vnunet.com.
Hoffman likened the technique to the publication by AOL of 20 million search queries from 650,000 of its users last August.
The 439MB of data was released as part of a research project and AOL was soon forced to delete the information following privacy concerns.
Although the data could not directly be linked to individual users, The New York Times was able to trace one set of search queries to 62 year-old Thelma Arnold from Lilburn, Georgia.
"The release of the AOL data a few months ago showed that you can learn so much about a person from their search engine queries. Imagine that scary lack of privacy, but for everybody on the internet," said Hoffman.
The URL for each online search query is formed in a standard way that discloses the keywords that a user has entered.
Web browsers store these URLs in a history file which, for example, allows the colour for a previously visited link to look different from a fresh one.
Spi Dynamic's technique checks a series of predefined URLs against the URLs in a user's search history through a JavaScript application that is embedded on a webpage.
The code is executed on the user's system without any noticeable performance interruption.
Most browsers are set to save the history for several days. Firefox is configured to save the history for nine days, while Internet Explorer holds onto the URLs for 20 days.
Hoffman said that he is not aware of anyone using the technique to track online user behaviour. But he added that if marketers had learnt of the technique, they probably would not disclose their use of it.
The company is not certain about the legality of the technique. Although it has obvious privacy implications, the technology is no different from the ways that websites today check for a system's screen resolution and installed plug-ins.
A proof-of-concept application is available on the Spi Dynamics website which allows users to verify Google, Yahoo and Icerocket searches.