ClearSky Cyberdefense Forum

New Research :
With the success of Web applications, most of our data is
now stored on various third-party servers where they are pro-
cessed to deliver personalized services. Naturally we must
be authenticated to access this personal information, but
the use of personalized services only restricted by identi-
cation could indirectly and silently leak sensitive data. We analyzed Google Web Search access mechanisms and found that the current policy applied to session cookies could be used to retrieve users' personal data. We describe an at-
tack scheme leveraging the search personalization (based on
the same sid cookie) to retrieve a part of the victim's click
history and even some of her contacts. We implemented a
proof of concept of this attack on Firefox and Chrome Web
browsers and conducted an experiment with ten volunteers.
Thanks to this prototype we were able to recover up to 80%
of the user's search click history.
http://arxiv.org/PS_cache/arxiv/pdf/1108/1108.5864v1.pdf

This entry was posted on Sunday, September 11th, 2011 at 2:58 pm and is filed under חדשות. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.