| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <242a0a8f0609291218v7e533207m955c9dc9f8454c8d@mail.gmail.com> Date: Fri, 29 Sep 2006 15:18:44 -0400 From: "Brian Eaton" <eaton.lists@...il.com> Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org Subject: Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript On 9/29/06, Billy Hoffman <Billy.Hoffman@...dynamics.com> wrote: > Possible uses: > > -HMO's website could check if a visitor has been searching other sites about > cancer, cancer treatments, or drug rehab centers. > > -Advertising networks could gather information about which topics someone is > interested based on their search history and use that to echance their > customer databases. > > -Government websites could see if a visitor has been searching for > bomb-making instructions. Correct me if I'm wrong, but it looks like the technique only works if you can guess the entire set of search terms the user entered. For example, let's say I searched for "XSS hack". The technique won't work if the attacking web site checks only for "XSS", or only for "hack". The technique does reveal that I searched for "XSS hack" though. Regards, Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists