lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <451D64B9.5070306@mozilla.org>
Date: Fri, 29 Sep 2006 11:23:53 -0700
From: Chris Hofmann <chofmann@...illa.org>
To: Billy Hoffman <Billy.Hoffman@...dynamics.com>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: Re: [WEB SECURITY] Stealing Search Engine Queries
	with JavaScript


I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=354861 for 
tracking the investigation in Firefox.

Chris Hofmann

Billy Hoffman wrote:
> SPI Labs has discovered a practical method of using JavaScript to 
> detect the search queries a user has entered into arbitrary search 
> engines. All the code needed to steal a user's search queries is 
> written in JavaScript and uses Cascading Style Sheets (CSS). This code 
> could be embedded into any website either by the website owner or by a 
> malicious third party through a Cross-site Scripting (XSS) attack. 
> There it would harvest information about every visitor to that site.
>
>  
>
> Possible uses:
>
> -HMO's website could check if a visitor has been searching other sites 
> about cancer, cancer treatments, or drug rehab centers.
>
> -Advertising networks could gather information about which topics 
> someone is interested based on their search history and use that to 
> echance their customer databases.
>
> -Government websites could see if a visitor has been searching for 
> bomb-making instructions.
>
>  
>
> SPI has published a whitepaper about this technique and has also 
> release proof  of concept code that will steal search engine queries. 
> Works solid in Firefox, and IE support is a little shaky on multi word 
> queries.
>
>  
>
> Whitepaper: 
> http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf
>
> Proof of Concept: http://www.spidynamics.com/spilabs/js-search/index.html
>
>  
>
> Have fun,
>
> Billy Hoffman
>
> --
>
> Lead R&D Engineer
>
> SPI Dynamics -- http://www.spidynamics.com <http://www.spidynamics.com/>
>
> Phone: 678-781-4800
>
> Direct: 678-781-4845
>


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ