exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

googleEvil.txt

googleEvil.txt
Posted Feb 26, 2005
Authored by Cody Hatch

Google appears to be correlating searches on Google's site with Gmail accounts, potentially creating privacy concerns for Gmail users.

tags | advisory
SHA-256 | 4aecf53c7deac8ce922ae2fb3f70cc37ba25f0787c4b5dac13f401164f288252

googleEvil.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Google Search and Gmail Correlation - Full Disclosure

February 23, 2005

I. INTRODUCTION

Google appears to be correlating searches on Google's site with
Gmail accounts, potentially creating privacy concerns for Gmail
users.

II. DESCRIPTION

Perhaps others are aware of this, but it came as a bit of a
surprise to me, since I rarely do packet dumps while performing
Google searches, but it seems that Google is correlating searches
with Gmail accounts - even if the user has logged out of Gmail.

In the course of performing some network and software testing, I
ended up going to Google and performing some basic searches to
ensure my network tweaks were functioning properly. I also happened
to be running some packet captures at the same time. While viewing
the packet captures, I noticed some odd parameters being passed by
my browser to Google - Gmail account information.

I thought I may have still been logged into Gmail, so I logged out
of Gmail and performed the search again, and again my Gmail account
was associated with the search. I then went into Firefox's cookie
configuration and deleted the Gmail cookie, performed the search
again at Google, and now my Gmail information was no longer
associated with the search.

Here are the relevant packet dumps:

<-- Not logged into Gmail and no cookie present on system -->

02/18-10:10:32.469169 192.168.111.8:33252 -> 216.239.63.104:80
TCP TTL:64 TOS:0x0 ID:21327 IpLen:20 DgmLen:603 DF
***AP*** Seq: 0x3B8327E2 Ack: 0x2DE8A304 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3699894 6991645
47 45 54 20 2F 73 65 61 72 63 68 3F 68 6C 3D 65 GET /search?hl=e
6E 26 71 3D 68 69 6A 61 63 6B 2B 74 68 69 73 26 n&q=hijack+this&
62 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 65 61 72 btnG=Google+Sear
63 68 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 ch HTTP/1.1..Hos
74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F t: www.google.co
6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D m..User-Agent: M
6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B ozilla/5.0 (X11;
20 55 3B 20 4C 69 6E 75 78 20 69 36 38 36 3B 20 U; Linux i686;
65 6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 35 29 en-US; rv:1.7.5)
20 47 65 63 6B 6F 2F 32 30 30 34 31 31 30 37 20 Gecko/20041107
46 69 72 65 66 6F 78 2F 31 2E 30 0D 0A 41 63 63 Firefox/1.0..Acc
65 70 74 3A 20 74 65 78 74 2F 78 6D 6C 2C 61 70 ept: text/xml,ap
70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 2C 61 70 plication/xml,ap
70 6C 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B plication/xhtml+
78 6D 6C 2C 74 65 78 74 2F 68 74 6D 6C 3B 71 3D xml,text/html;q=
30 2E 39 2C 74 65 78 74 2F 70 6C 61 69 6E 3B 71 0.9,text/plain;q
3D 30 2E 38 2C 69 6D 61 67 65 2F 70 6E 67 2C 2A =0.8,image/png,*
2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 /*;q=0.5..Accept
2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 -Language: en-us
2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 ,en;q=0.5..Accep
74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 t-Encoding: gzip
2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 ,deflate..Accept
2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 -Charset: ISO-88
35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 59-1,utf-8;q=0.7
2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 ,*;q=0.7..Keep-A
6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 live: 300..Conne
63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 ction: keep-aliv
65 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 e..Referer: http
3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F ://www.google.co
6D 2F 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 46 m/..Cookie: PREF
3D 49 44 3D 37 34 30 39 64 63 64 66 65 36 61 38 =ID=7409dcdfe6a8
38 32 38 62 3A 54 4D 3D 31 31 30 38 37 34 36 36 828b:TM=11087466
31 38 3A 4C 4D 3D 31 31 30 38 37 34 36 36 31 38 18:LM=1108746618
3A 53 3D 71 36 47 4A 41 4D 47 66 50 4A 66 4B 6A :S=q6GJAMGfPJfKj
54 55 50 0D 0A 0D 0A TUP....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+

<-- Not logged into Gmail but Gmail cookie still on my system -->

02/18-10:13:27.109702 192.168.111.8:33262 -> 216.239.63.104:80
TCP TTL:64 TOS:0x0 ID:20271 IpLen:20 DgmLen:838 DF
***AP*** Seq: 0x459C51DB Ack: 0x72CB0C4B Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 3874561 6991994
47 45 54 20 2F 73 65 61 72 63 68 3F 68 6C 3D 65 GET /search?hl=e
6E 26 6C 72 3D 26 71 3D 67 6F 6F 67 6C 65 2B 67 n&lr=&q=google+g
6D 61 69 6C 26 62 74 6E 47 3D 53 65 61 72 63 68 mail&btnG=Search
20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A HTTP/1.1..Host:
20 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D www.google.com.
0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A .User-Agent: Moz
69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55 illa/5.0 (X11; U
3B 20 4C 69 6E 75 78 20 69 36 38 36 3B 20 65 6E ; Linux i686; en
2D 55 53 3B 20 72 76 3A 31 2E 37 2E 35 29 20 47 -US; rv:1.7.5) G
65 63 6B 6F 2F 32 30 30 34 31 31 30 37 20 46 69 ecko/20041107 Fi
72 65 66 6F 78 2F 31 2E 30 0D 0A 41 63 63 65 70 refox/1.0..Accep
74 3A 20 74 65 78 74 2F 78 6D 6C 2C 61 70 70 6C t: text/xml,appl
69 63 61 74 69 6F 6E 2F 78 6D 6C 2C 61 70 70 6C ication/xml,appl
69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D ication/xhtml+xm
6C 2C 74 65 78 74 2F 68 74 6D 6C 3B 71 3D 30 2E l,text/html;q=0.
39 2C 74 65 78 74 2F 70 6C 61 69 6E 3B 71 3D 30 9,text/plain;q=0
2E 38 2C 69 6D 61 67 65 2F 70 6E 67 2C 2A 2F 2A .8,image/png,*/*
3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D 4C ;q=0.5..Accept-L
61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 2C 65 anguage: en-us,e
6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D n;q=0.5..Accept-
45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64 Encoding: gzip,d
65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 2D 43 eflate..Accept-C
68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39 harset: ISO-8859
2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A -1,utf-8;q=0.7,*
3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 6C 69 ;q=0.7..Keep-Ali
76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74 ve: 300..Connect
69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D ion: keep-alive.
0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F .Referer: http:/
2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F /www.google.com/
73 65 61 72 63 68 3F 68 6C 3D 65 6E 26 71 3D 68 search?hl=en&q=h
69 6A 61 63 6B 2B 74 68 69 73 26 62 74 6E 47 3D ijack+this&btnG=
47 6F 6F 67 6C 65 2B 53 65 61 72 63 68 0D 0A 43 Google+Search..C
6F 6F 6B 69 65 3A 20 50 52 45 46 3D 49 44 3D 37 ookie: PREF=ID=7
34 30 39 64 63 64 66 65 36 61 38 38 32 38 62 3A 409dcdfe6a8828b:
54 4D 3D 31 31 30 38 37 34 36 36 31 38 3A 4C 4D TM=1108746618:LM
3D 31 31 30 38 37 34 36 37 37 32 3A 47 4D 3D 31 =1108746772:GM=1
3A 53 3D 62 30 41 5F 6F 4D 7A 38 38 43 45 4E 61 :S=b0A_oMz88CENa
36 4F 72 3B 20 54 5A 3D 34 32 30 3B 20 47 4D 41 6Or; TZ=420; GMA
49 4C 5F 4C 4F 47 49 4E 3D 31 31 30 38 37 34 36 IL_LOGIN=1108746
37 35 37 33 32 34 2F 31 31 30 38 37 34 36 37 35 757324/110874675
37 33 32 34 2F 31 31 30 38 37 34 36 37 37 36 34 7324/11087467764
30 36 2F 31 31 30 38 37 34 36 37 37 38 30 36 31 06/1108746778061
2F 31 31 30 38 37 34 36 37 37 38 35 35 39 2F 31 /1108746778559/1
31 30 38 37 34 36 37 38 30 31 34 32 2F 31 31 30 108746780142/110
38 37 34 36 37 38 30 34 37 34 2F 66 61 6C 73 65 8746780474/false
2F 66 61 6C 73 65 3B 20 53 3D 67 6D 61 69 6C 3D /false; S=gmail=
32 49 31 55 50 63 47 49 67 33 51 3A 67 6D 70 72 2I1UPcGIg3Q:gmpr
6F 78 79 3D 4B 6D 6F 30 4D 6C 44 37 34 36 51 3B oxy=Kmo0MlD746Q;
20 47 4D 41 49 4C 5F 52 54 54 3D 32 33 38 0D 0A GMAIL_RTT=238..
0D 0A ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+

As you can see, Gmail information is being passed to the Google
server as part of my search request as long as I have a Gmail
cookie on my system. None of the Gmail parameters in the search
request seemed to obviously match with the parameters of the Gmail
cookie, but when the cookie isn't on the system, no Gmail info is
passed to the Google search servers.

III. IMPACT

It seems to me that Google is correlating search terms and
potentially clicked-through links with my Gmail account. When I
signed up for a Gmail account, I understood that Google would crawl
my e-mails - which I was okay with. I was not under the impression
that my searches through Google would be correlated with my Gmail
account, and was surprised to see that logging out of Gmail did not
completely remove any Gmail cookies from my system.

I'm not sure why Google would do such a thing, but when I have my
tinfoil hat on I can come up with some theories, many of which
would masquerade as search "enhancements". I'm curious to know what
the rest of you think.

IV. WORKAROUND

Delete your Gmail cookies immediately following a log out of Gmail
and do not perform Google searches while logged into Gmail.

V. VENDOR RESPONSE

I didn't contact Google because this isn't a bug.

Thanks,
Cody Hatch
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkIdVU8ACgkQKUIrW/hBVexjxACgmr+JORGNw4ECc2sPmrl2+EOlvvEA
nA5r89rPbjrPnuDR4P2Dfa8BCXiz
=ZPQd
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close