Stealing Search Engine Queries with JavaScript

RESOLVED DUPLICATE of bug 147777

Status

()

Core
General
RESOLVED DUPLICATE of bug 147777
12 years ago
8 years ago

People

(Reporter: chris hofmann, Unassigned)

Tracking

Trunk
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
reported at the above URL.  opening this bug to continue the investigation
(Reporter)

Comment 1

12 years ago
PoC appears to be limited to visiting the search term stealing site in the same window where a previous google search page was loaded and used for a search.  

Searches from other browser windows, other tabs, or the chrome don't appear to be tracable from the stealing site.  Anyone else able to confirm this?
This looks to me like a variation of bug 147777... Not a JS Engine issue, anyways.
Assignee: general → nobody
Component: JavaScript Engine → General
QA Contact: general → general

*** This bug has been marked as a duplicate of 147777 ***
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
What the script here is doing is just constructing what it thinks the query string would be for a given search site and a given query to see if it is visited.
(In reply to comment #1)
> Searches from other browser windows, other tabs, or the chrome don't appear to
> be tracable from the stealing site.  

But if we fixed our History implementation, they might be.

As for chrome searches, it could be that they just don't check for the correct URL form. In fact, looking at their source code, they only check for a few very limited variations of each search URL. The POC doesn't work for me, for example, because they only check for:

http://www.google.com/search?hl=en&q=[REPLACE] http://www.google.com/search?hl=en&q=[REPLACE]&btnG=Google+Search     http://www.google.com/search?hl=en&lr=&q=[REPLACE]&btnG=Search  http://www.google.com/search?hl=en&lr=&safe=off&q=[REPLACE]&btnG=Search

but my URLs come out as:
http://www.google.co.uk/search?hl=en&q=[REPLACE]&btnG=Google+Search&meta=
so there are two differences - the .co.uk and the &meta=.

That's not to try and minimise the impact; just an observation.

Search engines and other generators of search URLs could fix this with an &nonce=4f3c or equivalent on the URLs. 

Gerv
You need to log in before you can comment on or make changes to this bug.