Show Me Your Cookie And I Will Tell You Who You Are

TL;DR

This paper reveals that session cookies in web search services can be exploited to extract sensitive user data, such as click history and contacts, through a novel attack demonstrated on popular browsers.

Contribution

It uncovers a privacy vulnerability in web search personalization mechanisms and demonstrates an attack exploiting session cookies to retrieve personal user information.

Findings

Up to 80% of search click history can be recovered.

The attack works on Firefox and Chrome browsers.

Personal data can be indirectly leaked through session cookie analysis.

Abstract

With the success of Web applications, most of our data is now stored on various third-party servers where they are processed to deliver personalized services. Naturally we must be authenticated to access this personal information, but the use of personalized services only restricted by identification could indirectly and silently leak sensitive data. We analyzed Google Web Search access mechanisms and found that the current policy applied to session cookies could be used to retrieve users' personal data. We describe an attack scheme leveraging the search personalization (based on the same SID cookie) to retrieve a part of the victim's click history and even some of her contacts. We implemented a proof of concept of this attack on Firefox and Chrome Web browsers and conducted an experiment with ten volunteers. Thanks to this prototype we were able to recover up to 80% of the user's search click history.