A pair of security researchers have created their own version of the notorious Firesheep plugin to expose a data leak in the world’s favourite search engine.
The proof-of-concept plugin exploits the use of unencrypted cookies by Google’s Web History feature.
Although you need to be logged in to make use of Web History it does not require an encrypted (HTTPS) connection. This flaw can allow attackers to find out what you’ve been searching for, who your social contacts are and who’s in your Gmail address book.
The new variant of Firesheep allows hackers to easily exploit the flaw if they are sharing the same WiFi hotspot as you.
For researchers Vincent Toubiana and Vincent Verdot the choice to adapt Firesheep must have been obvious. The original Firesheep was released last October by a security researcher fed up with what he saw as the failure of big websites such as Twitter and Facebook to protect their users. Whilst his efforts weren’t greeted with a chorus of approval they do appear to have had the desired effect.
The good news is that this latest exploit does not allow attackers to take over users’ Google Accounts. However, it does expose private data. In the researchers’ own words:
"while the direct access to users’ data is subject to a strict security policy, using personalized services (which may leak this same personal information) is not"
Anyone thinking that search histories are innocuous need only cast their mind back to 2006.
In a well-intentioned but disastrous move AOL released a sizeable chunk of its users’ search data for research purposes. And what did we learn? That users put all sorts of private information into search engines.
The supposedly anonymised searches included names, addresses and social security numbers amongst other things. In some cases users’ search histories built up to create mosaic-like pictures of their lives (and in the sinister case of user 17556639 not a flattering one).
As well as introducing their take on Firesheep, Toubiana and Verdot’s recent paper outlines a number of ways to acquire the offending cookies, including just Googling for them.
They estimate that about 50% of Google’s users have Web Search History switched on and that many users are unaware of it. To make matters worse the compromised cookies are used across more than 20 websites including some web behemoths like Google Search, Google Maps, YouTube and Blogger.
The researchers have already alerted the Google Security Team who are working on a fix. In the meantime they recommend making sure you’re not logged in to your Google account when you’re using an unsecured network.
Although it is possible to protect yourself when searching by using Google’s HTTPS search many of the webpages where the cookie can be exposed don’t offer HTTPS as an option.
If you don’t use Web Search History or you’ve never heard of it you may want to visit your search history page and disable it.
For more information on this research you can download Toubiana and Verdot’s paper “Show Me Your Cookie And I Will Tell You Who You Are” from arxiv.org.
You might also like to watch our video showing you how to counter Firesheep and its friends, even on unencrypted WiFi:
(Enjoy this video? Why not check out the SophosLabs YouTube channel?)