Stealing Search Engine Queries with JavaScriptBest Security Tips offers daily news, information, advices and tips about spyware, adware, viruses, trojans, web vulnerabilities, hackers, other threats    Fix Network Security Flaws on Your Biz Network - Trial | Register now | Login
   
TIPS NEWS TOOLS DOWNLOADS MALWARE FORUM BOOKS FREE MAGAZINES FREE WEBCASTS & VIDEOS
GFI LANguard Network Security Scanner - Dld 30-day trial! del.icio.us  digg  Furl  NewsVine  Spurl  Blinklist  Ma.gnolia  Reddit  Tailrank  YahooMyWeb 
Best Tips
5 Good Security Habits
How to Defend Against Sp...
DNS Servers Attacks
Top 5 Anti-Malware Prote...
How To Recognize and Avo...
Application Security Hac...
Avoid being a "Money Mul...
What is a credit freeze?
How To Use BCC Email Fie...
How To Secure Your Cell ...
Security Scanner
Security Categories
 1. Adware/Spyware
 2. Antivirus
 3. Firewall
 4. Phishing
 5. Linux Security
 6. Windows Security
 7. Security Incidents
 8. Web Security
 9. P2P Security
Advertise With Us!
Latest Viruses / Threats
Bugtraq: [USN-651-1] Ruby vulnerabilities
2008/10/10 19:37:29
Bugtraq: Re[2]: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
2008/10/10 19:37:29
Bugtraq: [LC-2008-04] Nokia Browser Array Sort Denial Of Service Vulnerability
2008/10/10 19:37:29
Bugtraq: Re: PR08-24: Proxim Tsunami MP.11 2411 vulnerable to SNMP Injection
2008/10/10 19:37:29
Mal/Behav-134
2008/10/10 18:31:18
Downloads
 0.Zilla Video Converter & Decompiler
 1.Traffic Jam Extreme
 2.Wondershare Xbox360 Slideshow
 3.English-Korean Talking Dictionary for W...
 4.QR Photo to 3GP Converter
 5.MinuteManPlus
 6.Quick Flash Player
 7.tApCalc Scientific tape calculator(Arm ...
 8.Crazy Minesweeper
 9.Rapsody
RSS / Atom Feeds
Web Security : Stealing Search Engine Queries with JavaScript
Posted by Max on 2006/9/30 17:40:31 (963 reads)
Web Security

SPI Labs has discovered a practical method of using JavaScript to detect the search queries a user has entered into arbitrary search engines. All the code needed to steal a user's search queries is written in JavaScript and uses Cascading Style Sheets (CSS). This code could be embedded into any website either by the website owner or by a malicious third party through a Cross-site Scripting (XSS) attack. There it would harvest information about every visitor to that site

Possible uses:

-HMO's website could check if a visitor has been searching other sites about cancer, cancer treatments, or drug rehab centers.

-Advertising networks could gather information about which topics someone is interested based on their search history and use that to echance their customer databases.

-Government websites could see if a visitor has been searching for bomb-making instructions.

SPI has published a whitepaper about this technique and has also release proof of concept code that will steal search engine queries. Works solid in Firefox, and IE support is a little shaky on multi word queries.

Whitepaper: http://www.spidynamics.com/assets/documents/JS_SearchQueryTheft.pdf

Proof of Concept: http://www.spidynamics.com/spilabs/js-search/index.html




Other articles
2008/10/9 14:10:42 - Google Trends Used to Promote Fake Anti-Virus Software
2008/10/9 13:50:47 - Spam, Child Porn, Illegal Pharmaceuticals, and Stolen Data Make The Web Axis of Evil
2008/10/8 12:22:22 - New Anti-Phishing Service by BluePrint On National Cyber Security Awareness Month
2008/10/7 16:17:07 - Adware Released As Fake Antivirus Increases
2008/10/2 15:30:28 - Agnitum's Outpost Security Suite Pro Gains Another VB100% (on Windows Server 2008)
2008/10/2 15:21:49 - New FREE Security Tools From Verizon
2008/9/30 17:45:27 - SkyRecon Adds Anti-Virus Protection (AVP) to Its StormShield Security Suite
2008/9/30 17:32:11 - IdentitySecure, The New Identity Theft Protection Program from Affinion
2008/9/30 17:13:08 - Web Application Security Mythbusters by Cenzic Inc.
2008/9/30 17:03:58 - Disk Doctors Announces Support For The Hurricane IKE and Gustav victims

The comments are owned by the poster. We aren't responsible for their content.



 

HOME | NEWS | SECURITY BLOG | TOOLS | DOWNLOADS | SECURITY BOOKS | TIPS | SITEMAP | TERMS AND CONDITIONS | INTERNET SECURITY SEARCH ENGINE | ADVERTISE ON THIS SITE | CONTACT
Jan '08 | Feb '08 | Mar '08 | Apr '08 | May '08 | Jun '08 | Jul '08 | Sep '08 
Best Security Downloads offers 4000+ free and free to try security downloads