Cookie-based privacy issues on google services

Abstract

With the success of Web applications, most of our data is now stored on various third-party servers where they are processed to deliver personalized services. Naturally, we must be authenticated to access this personal information, but the use of personalized services only restricted by identification could indirectly and silently leak sensitive data. We analyzed Google Web Search access mechanisms and found that the current policy applied to session cookies could be used to retrieve users' personal data. We describe two attack schemes based on the Google's "SID cookie". First, we show that it permits a session fixation attack in which the victim's searches are recorded in the attacker's Google Web Search History. The second attack leverages the search personalization (based on the same SID cookie) to retrieve a part of the victim's click history and even some of her contacts. We implemented a proof of concept of the latter attack on the Firefox Web browser and conducted an experiment with ten volunteers. Thanks to this prototype we were able to recover up to 80% of the user's search click history.