Re: [Full-disclosure] [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
just to add, Google WebSearch is just one of the many services that offer feed export. Pretty much everything else has that option too and can be accessed through basic auth. I know that this is an obstacle. However, keep in mind that the purpose of this post is not to show how to own people but elaborate on what can be done after that. I mean, if the attacker has access to your account, they may as well turn the WebHistory ON if it s OFF. All attackers want from you is to get your secrets. Consider it like the situation where you have a physical/remote access to a machine and now you want to install a rootkit or keylogger. On 7/22/07, Greenarrow 1 [EMAIL PROTECTED] wrote: Well, for one, for security purposes why would anyone log into Google for search purposes. Second, most people I know who use any type of security usually use a proxy if they are doing unknown type searches or surfing the web. This would place a kink in the ease of getting the info you stated in your email. While yes if anyone wanted to get your info that bad it would not matter what method one uses but I see the way you show as being the way a common Window home user would seek search data and I sure hope that corporate does not go this route. Regards, George Greenarrow1 InNetInvestigations-Forensic - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; OWASP Leaders [EMAIL PROTECTED]; WASC Forum [EMAIL PROTECTED] Sent: Saturday, July 21, 2007 2:04 AM Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
Well, for one, for security purposes why would anyone log into Google for search purposes. Second, most people I know who use any type of security usually use a proxy if they are doing unknown type searches or surfing the web. This would place a kink in the ease of getting the info you stated in your email. While yes if anyone wanted to get your info that bad it would not matter what method one uses but I see the way you show as being the way a common Window home user would seek search data and I sure hope that corporate does not go this route. Regards, George Greenarrow1 InNetInvestigations-Forensic - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; OWASP Leaders [EMAIL PROTECTED]; WASC Forum [EMAIL PROTECTED] Sent: Saturday, July 21, 2007 2:04 AM Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
comments inlined On 7/22/07, Greenarrow 1 [EMAIL PROTECTED] wrote: Well, for one, for security purposes why would anyone log into Google for search purposes. Second, most people I know who use any type of security people login to check their email, chat and play with the toys on their iGoogle. for most of the time, they are logged into Google. usually use a proxy if they are doing unknown type searches or surfing the web. This would place a kink in the ease of getting the info you stated in your email. :) keep in mind that most users are not tech/sec savvy While yes if anyone wanted to get your info that bad it would not matter what method one uses but I see the way you show as being the way a common Window home user would seek search data and I sure hope that corporate does not go this route. the point that I am try to make is that the attacker doesn't need to have access to your computer anymore. The data is available online 24/7. It is a lot easier to access Google Feed then some computer behind some obscured and poorly configured NATed network. Regards, George Greenarrow1 InNetInvestigations-Forensic Thanks George, cheers :) - Original Message - From: pdp (architect) [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk; OWASP Leaders [EMAIL PROTECTED]; WASC Forum [EMAIL PROTECTED] Sent: Saturday, July 21, 2007 2:04 AM Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface http://www.gnucitizen.org/blog/snoop-onto-them-as-they-snoop-onto-us This is not that of a news since the service is available since January this year, however I cannot see that many people discussing it. Anyway, Google allows consummation of SearchHistory profiles as simple RSS/ATOM feeds. IMHO, this will impact the security and privacy of the users (us) quite significantly. [...] The search history feed can be access from the following url: http://www.google.com/history/?output=rss. The interesting thing is that if your are not authenticated, the Google service will ask you to do so but though HTTP Basic Authentication. Now we all know how weak Basic Authentication is. By default, basic auth does not have any account lockout capabilities. Yes, this feature can be introduced and I haven't really tested it out on the Google's SearchHistory feed interface. Apart from that, the real danger is that if someone has your account details, they could potentially become your invisible stalker. Snoop onto Them as they Snoop onto us. In the digital age, compromising someones email just for the sake of it does not make sense. What is more interesting, is to learn as much as possible from the victim and use this knowledge for your own benefit. This is what attackers will be after. Relevant searches, places that you have been, stats, trends, secrets. If you have the Google Toolbar then you are even more screwed, since every step that you make will be recorded. Given the fact that everything is accessed via RSS, this information be easily analyzed, aggregated and even exported to the NET for everyone to see. As we all know Basic Auth credentials are part of the URL scheme, almost every RSS/ATOM aggregator supports them: http://username:[EMAIL PROTECTED]/history/?output=rss. What is even worse is that we can also perform queries on the history like this: https://www.google.com/searchhistory/find?q=[query]output=rss. Keep in mind that the SearchHistory is recording your moves no matter whether you want it or not. Your actions will be recorded for as long as you perform queries while being logged into Google or you have the Google Browser Toolbar installed. I am not saying that GOOGLE is bad. All I am saying is that someone can use this interface to harm others. It makes the process so much easier. -- pdp (architect) | petko d. petkov http://www.gnucitizen.org Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
