-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Google Search and Gmail Correlation - Full Disclosure

February 23, 2005

I. INTRODUCTION

Google appears to be correlating searches on Google's site with
Gmail accounts, potentially creating privacy concerns for Gmail
users.

II. DESCRIPTION

Perhaps others are aware of this, but it came as a bit of a
surprise to me, since I rarely do packet dumps while performing
Google searches, but it seems that Google is correlating searches
with Gmail accounts - even if the user has logged out of Gmail.

In the course of performing some network and software testing, I
ended up going to Google and performing some basic searches to
ensure my network tweaks were functioning properly. I also happened
to be running some packet captures at the same time. While viewing
the packet captures, I noticed some odd parameters being passed by
my browser to Google - Gmail account information.

I thought I may have still been logged into Gmail, so I logged out
of Gmail and performed the search again, and again my Gmail account
was associated with the search. I then went into Firefox's cookie
configuration and deleted the Gmail cookie, performed the search
again at Google, and now my Gmail information was no longer
associated with the search.

Here are the relevant packet dumps:

<-- Not logged into Gmail and no cookie present on system -->

02/18-10:10:32.469169 192.168.111.8:33252 -> 216.239.63.104:80
TCP TTL:64 TOS:0x0 ID:21327 IpLen:20 DgmLen:603 DF
***AP*** Seq: 0x3B8327E2  Ack: 0x2DE8A304  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3699894 6991645
47 45 54 20 2F 73 65 61 72 63 68 3F 68 6C 3D 65  GET /search?hl=e
6E 26 71 3D 68 69 6A 61 63 6B 2B 74 68 69 73 26  n&q=hijack+this&
62 74 6E 47 3D 47 6F 6F 67 6C 65 2B 53 65 61 72  btnG=Google+Sear
63 68 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73  ch HTTP/1.1..Hos
74 3A 20 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F  t: www.google.co
6D 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D  m..User-Agent: M
6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B  ozilla/5.0 (X11;
20 55 3B 20 4C 69 6E 75 78 20 69 36 38 36 3B 20   U; Linux i686;
65 6E 2D 55 53 3B 20 72 76 3A 31 2E 37 2E 35 29  en-US; rv:1.7.5)
20 47 65 63 6B 6F 2F 32 30 30 34 31 31 30 37 20   Gecko/20041107
46 69 72 65 66 6F 78 2F 31 2E 30 0D 0A 41 63 63  Firefox/1.0..Acc
65 70 74 3A 20 74 65 78 74 2F 78 6D 6C 2C 61 70  ept: text/xml,ap
70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 2C 61 70  plication/xml,ap
70 6C 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B  plication/xhtml+
78 6D 6C 2C 74 65 78 74 2F 68 74 6D 6C 3B 71 3D  xml,text/html;q=
30 2E 39 2C 74 65 78 74 2F 70 6C 61 69 6E 3B 71  0.9,text/plain;q
3D 30 2E 38 2C 69 6D 61 67 65 2F 70 6E 67 2C 2A  =0.8,image/png,*
2F 2A 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74  /*;q=0.5..Accept
2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73  -Language: en-us
2C 65 6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70  ,en;q=0.5..Accep
74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70  t-Encoding: gzip
2C 64 65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74  ,deflate..Accept
2D 43 68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38  -Charset: ISO-88
35 39 2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37  59-1,utf-8;q=0.7
2C 2A 3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41  ,*;q=0.7..Keep-A
6C 69 76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65  live: 300..Conne
63 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76  ction: keep-aliv
65 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70  e..Referer: http
3A 2F 2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F  ://www.google.co
6D 2F 0D 0A 43 6F 6F 6B 69 65 3A 20 50 52 45 46  m/..Cookie: PREF
3D 49 44 3D 37 34 30 39 64 63 64 66 65 36 61 38  =ID=7409dcdfe6a8
38 32 38 62 3A 54 4D 3D 31 31 30 38 37 34 36 36  828b:TM=11087466
31 38 3A 4C 4D 3D 31 31 30 38 37 34 36 36 31 38  18:LM=1108746618
3A 53 3D 71 36 47 4A 41 4D 47 66 50 4A 66 4B 6A  :S=q6GJAMGfPJfKj
54 55 50 0D 0A 0D 0A                             TUP....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+

<-- Not logged into Gmail but Gmail cookie still on my system -->

02/18-10:13:27.109702 192.168.111.8:33262 -> 216.239.63.104:80
TCP TTL:64 TOS:0x0 ID:20271 IpLen:20 DgmLen:838 DF
***AP*** Seq: 0x459C51DB  Ack: 0x72CB0C4B  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 3874561 6991994
47 45 54 20 2F 73 65 61 72 63 68 3F 68 6C 3D 65  GET /search?hl=e
6E 26 6C 72 3D 26 71 3D 67 6F 6F 67 6C 65 2B 67  n&lr=&q=google+g
6D 61 69 6C 26 62 74 6E 47 3D 53 65 61 72 63 68  mail&btnG=Search
20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74 3A   HTTP/1.1..Host:
20 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 0D   www.google.com.
0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A  .User-Agent: Moz
69 6C 6C 61 2F 35 2E 30 20 28 58 31 31 3B 20 55  illa/5.0 (X11; U
3B 20 4C 69 6E 75 78 20 69 36 38 36 3B 20 65 6E  ; Linux i686; en
2D 55 53 3B 20 72 76 3A 31 2E 37 2E 35 29 20 47  -US; rv:1.7.5) G
65 63 6B 6F 2F 32 30 30 34 31 31 30 37 20 46 69  ecko/20041107 Fi
72 65 66 6F 78 2F 31 2E 30 0D 0A 41 63 63 65 70  refox/1.0..Accep
74 3A 20 74 65 78 74 2F 78 6D 6C 2C 61 70 70 6C  t: text/xml,appl
69 63 61 74 69 6F 6E 2F 78 6D 6C 2C 61 70 70 6C  ication/xml,appl
69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D  ication/xhtml+xm
6C 2C 74 65 78 74 2F 68 74 6D 6C 3B 71 3D 30 2E  l,text/html;q=0.
39 2C 74 65 78 74 2F 70 6C 61 69 6E 3B 71 3D 30  9,text/plain;q=0
2E 38 2C 69 6D 61 67 65 2F 70 6E 67 2C 2A 2F 2A  .8,image/png,*/*
3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D 4C  ;q=0.5..Accept-L
61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 2C 65  anguage: en-us,e
6E 3B 71 3D 30 2E 35 0D 0A 41 63 63 65 70 74 2D  n;q=0.5..Accept-
45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 64  Encoding: gzip,d
65 66 6C 61 74 65 0D 0A 41 63 63 65 70 74 2D 43  eflate..Accept-C
68 61 72 73 65 74 3A 20 49 53 4F 2D 38 38 35 39  harset: ISO-8859
2D 31 2C 75 74 66 2D 38 3B 71 3D 30 2E 37 2C 2A  -1,utf-8;q=0.7,*
3B 71 3D 30 2E 37 0D 0A 4B 65 65 70 2D 41 6C 69  ;q=0.7..Keep-Ali
76 65 3A 20 33 30 30 0D 0A 43 6F 6E 6E 65 63 74  ve: 300..Connect
69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 0D  ion: keep-alive.
0A 52 65 66 65 72 65 72 3A 20 68 74 74 70 3A 2F  .Referer: http:/
2F 77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D 2F  /www.google.com/
73 65 61 72 63 68 3F 68 6C 3D 65 6E 26 71 3D 68  search?hl=en&q=h
69 6A 61 63 6B 2B 74 68 69 73 26 62 74 6E 47 3D  ijack+this&btnG=
47 6F 6F 67 6C 65 2B 53 65 61 72 63 68 0D 0A 43  Google+Search..C
6F 6F 6B 69 65 3A 20 50 52 45 46 3D 49 44 3D 37  ookie: PREF=ID=7
34 30 39 64 63 64 66 65 36 61 38 38 32 38 62 3A  409dcdfe6a8828b:
54 4D 3D 31 31 30 38 37 34 36 36 31 38 3A 4C 4D  TM=1108746618:LM
3D 31 31 30 38 37 34 36 37 37 32 3A 47 4D 3D 31  =1108746772:GM=1
3A 53 3D 62 30 41 5F 6F 4D 7A 38 38 43 45 4E 61  :S=b0A_oMz88CENa
36 4F 72 3B 20 54 5A 3D 34 32 30 3B 20 47 4D 41  6Or; TZ=420; GMA
49 4C 5F 4C 4F 47 49 4E 3D 31 31 30 38 37 34 36  IL_LOGIN=1108746
37 35 37 33 32 34 2F 31 31 30 38 37 34 36 37 35  757324/110874675
37 33 32 34 2F 31 31 30 38 37 34 36 37 37 36 34  7324/11087467764
30 36 2F 31 31 30 38 37 34 36 37 37 38 30 36 31  06/1108746778061
2F 31 31 30 38 37 34 36 37 37 38 35 35 39 2F 31  /1108746778559/1
31 30 38 37 34 36 37 38 30 31 34 32 2F 31 31 30  108746780142/110
38 37 34 36 37 38 30 34 37 34 2F 66 61 6C 73 65  8746780474/false
2F 66 61 6C 73 65 3B 20 53 3D 67 6D 61 69 6C 3D  /false; S=gmail=
32 49 31 55 50 63 47 49 67 33 51 3A 67 6D 70 72  2I1UPcGIg3Q:gmpr
6F 78 79 3D 4B 6D 6F 30 4D 6C 44 37 34 36 51 3B  oxy=Kmo0MlD746Q;
20 47 4D 41 49 4C 5F 52 54 54 3D 32 33 38 0D 0A   GMAIL_RTT=238..
0D 0A                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+

As you can see, Gmail information is being passed to the Google
server as part of my search request as long as I have a Gmail
cookie on my system. None of the Gmail parameters in the search
request seemed to obviously match with the parameters of the Gmail
cookie, but when the cookie isn't on the system, no Gmail info is
passed to the Google search servers.

III. IMPACT

It seems to me that Google is correlating search terms and
potentially clicked-through links with my Gmail account. When I
signed up for a Gmail account, I understood that Google would crawl
my e-mails - which I was okay with. I was not under the impression
that my searches through Google would be correlated with my Gmail
account, and was surprised to see that logging out of Gmail did not
completely remove any Gmail cookies from my system.

I'm not sure why Google would do such a thing, but when I have my
tinfoil hat on I can come up with some theories, many of which
would masquerade as search "enhancements". I'm curious to know what
the rest of you think.

IV. WORKAROUND

Delete your Gmail cookies immediately following a log out of Gmail
and do not perform Google searches while logged into Gmail.

V. VENDOR RESPONSE

I didn't contact Google because this isn't a bug.

Thanks,
Cody Hatch
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkIdVU8ACgkQKUIrW/hBVexjxACgmr+JORGNw4ECc2sPmrl2+EOlvvEA
nA5r89rPbjrPnuDR4P2Dfa8BCXiz
=ZPQd
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html