Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
Date: Sun, 22 Jul 2007 08:07:32 +0100

just to add,

Google WebSearch is just one of the many services that offer feed
export. Pretty much everything else has that option too and can be
accessed through basic auth. I know that this is an obstacle. However,
keep in mind that the purpose of this post is not to show how to own
people but elaborate on what can be done after that. I mean, if the
attacker has access to your account, they may as well turn the
WebHistory ON if it s OFF. All attackers want from you is to get your
secrets. Consider it like the situation where you have a
physical/remote access to a machine and now you want to install a
rootkit or keylogger.

On 7/22/07, Greenarrow 1 <Greenarrow1 () msn com> wrote:
Well, for one, for security purposes why would anyone log into Google for
search purposes. Second, most people I know who use any type of security
usually use a proxy if they are doing unknown type searches or surfing the
web.  This would place a kink in the ease of getting the info you stated in
your email.

While yes if anyone wanted to get your info that bad it would not matter
what method one uses but I see the way you show as being the way a common
Window home user would seek search data and I sure hope that corporate does
not go this route.


----- Original Message -----
From: "pdp (architect)" <pdp.gnucitizen () googlemail com>
To: <full-disclosure () lists grok org uk>; "OWASP Leaders"
<owasp-leaders () lists owasp org>; "WASC Forum" <websecurity () webappsec org>
Sent: Saturday, July 21, 2007 2:04 AM
Subject: [WEB SECURITY] digital stalking, Google SearchHistory RSS Interface


This is not that of a news since the service is available since
January this year, however I cannot see that many people discussing
it. Anyway, Google allows consummation of SearchHistory profiles as
simple RSS/ATOM feeds. IMHO, this will impact the security and privacy
of the users (us) quite significantly.


The search history feed can be access from the following url:
http://www.google.com/history/?output=rss. The interesting thing is
that if your are not authenticated, the Google service will ask you to
do so but though HTTP Basic Authentication. Now we all know how weak
Basic Authentication is. By default, basic auth does not have any
account lockout capabilities. Yes, this feature can be introduced and
I haven't really tested it out on the Google's SearchHistory feed
Apart from that, the real danger is that if someone has your account
details, they could potentially become your invisible stalker. "Snoop
onto Them as they Snoop onto us". In the digital age, compromising
someones email just for the sake of it does not make sense. What is
more interesting, is to learn as much as possible from the victim and
use this knowledge for your own benefit. This is what attackers will
be after.

Relevant searches, places that you have been, stats, trends, secrets.
If you have the Google Toolbar then you are even more screwed, since
every step that you make will be recorded. Given the fact that
everything is accessed via RSS, this information be easily analyzed,
aggregated and even exported to the NET for everyone to see. As we all
know Basic Auth credentials are part of the URL scheme, almost every
RSS/ATOM aggregator supports them:
http://username:password () www google com/history/?output=rss. What is
even worse is that we can also perform queries on the history like
this: https://www.google.com/searchhistory/find?q=[query]&output=rss.

Keep in mind that the SearchHistory is recording your moves no matter
whether you want it or not. Your actions will be recorded for as long
as you perform queries while being logged into Google or you have the
Google Browser Toolbar installed.

I am not saying that GOOGLE is bad. All I am saying is that someone
can use this interface to harm others. It makes the process so much

pdp (architect) | petko d. petkov

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

pdp (architect) | petko d. petkov

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]