Full Disclosure mailing list archives
Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript
From: "Brian Eaton" <eaton.lists () gmail com>
Date: Fri, 29 Sep 2006 15:18:44 -0400
On 9/29/06, Billy Hoffman <Billy.Hoffman () spidynamics com> wrote:
Possible uses: -HMO's website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers. -Advertising networks could gather information about which topics someone is interested based on their search history and use that to echance their customer databases. -Government websites could see if a visitor has been searching for bomb-making instructions.
Correct me if I'm wrong, but it looks like the technique only works if you can guess the entire set of search terms the user entered. For example, let's say I searched for "XSS hack". The technique won't work if the attacking web site checks only for "XSS", or only for "hack". The technique does reveal that I searched for "XSS hack" though. Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Stealing Search Engine Queries with JavaScript Billy Hoffman (Sep 29)
- Re: Stealing Search Engine Queries with JavaScript Dave "No, not that one" Korn (Sep 29)
- Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript Brian Eaton (Sep 29)
- Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript Chris Hofmann (Sep 30)
- Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript Collin Jackson (Sep 30)
- Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript Ian (Sep 30)
- Re: Stealing Search Engine Queries with JavaScript マグロ原子 (Sep 30)