Thread-topic: [WEB SECURITY] Stealing Search Engine Queries with JavaScript
þÔÏ ÔÏÌØËÏ ÌÀÄÉ ÎÅ ÐÒÉÄÕÍÁÀÔ ;-)
> -----Original Message-----
> From: Billy Hoffman [mailto:Billy.Hoffman@xxxxxxxxxxxxxxx]
> Sent: Friday, September 29, 2006 8:45 PM
> To: websecurity@xxxxxxxxxxxxx
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [WEB SECURITY] Stealing Search Engine Queries with JavaScript
>
> SPI Labs has discovered a practical method of using
> JavaScript to detect the search queries a user has entered
> into arbitrary search engines. All the code needed to steal a
> user's search queries is written in JavaScript and uses
> Cascading Style Sheets (CSS). This code could be embedded
> into any website either by the website owner or by a
> malicious third party through a Cross-site Scripting (XSS)
> attack. There it would harvest information about every
> visitor to that site.
>
>
>
> Possible uses:
>
> -HMO's website could check if a visitor has been searching
> other sites about cancer, cancer treatments, or drug rehab centers.
>
> -Advertising networks could gather information about which
> topics someone is interested based on their search history
> and use that to echance their customer databases.
>
> -Government websites could see if a visitor has been
> searching for bomb-making instructions.
>
>
>
> SPI has published a whitepaper about this technique and has
> also release proof of concept code that will steal search
> engine queries. Works solid in Firefox, and IE support is a
> little shaky on multi word queries.
>
>
>
> Whitepaper:
>
>
> Proof of Concept:
>
>
>
>
> Have fun,
>
> Billy Hoffman
>
> --
>
> Lead R&D Engineer
>
> SPI Dynamics -
> <>
>
> Phone: 678-781-4800
>
> Direct: 678-781-4845
>
>
