Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript

[Chris Hofmann <chofmann () mozilla org>]

I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=354861 for 
tracking the investigation in Firefox.

Chris Hofmann

Billy Hoffman wrote:
> SPI Labs has discovered a practical method of using JavaScript to 
> detect the search queries a user has entered into arbitrary search 
> engines. All the code needed to steal a user's search queries is 
> written in JavaScript and uses Cascading Style Sheets (CSS). This code 
> could be embedded into any website either by the website owner or by a 
> malicious third party through a Cross-site Scripting (XSS) attack. 
> There it would harvest information about every visitor to that site.
>
>  
>
> Possible uses:
>
> -HMO's website could check if a visitor has been searching other sites 
> about cancer, cancer treatments, or drug rehab centers.
>
> -Advertising networks could gather information about which topics 
> someone is interested based on their search history and use that to 
> echance their customer databases.
>
> -Government websites could see if a visitor has been searching for 
> bomb-making instructions.
>
>  
>
> SPI has published a whitepaper about this technique and has also 
> release proof  of concept code that will steal search engine queries. 
> Works solid in Firefox, and IE support is a little shaky on multi word 
> queries.
>
>  
>
> Whitepaper: 
> http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf
>
> Proof of Concept: http://www.spidynamics.com/spilabs/js-search/index.html
>
>  
>
> Have fun,
>
> Billy Hoffman
>
> --
>
> Lead R&D Engineer
>
> SPI Dynamics -- http://www.spidynamics.com <http://www.spidynamics.com/>
>
> Phone: 678-781-4800
>
> Direct: 678-781-4845

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/