Upload File

poster - emiliano de cristofaro

1
Private Information Disclosure from Web Searches Claude Castelluccia 1 , Emiliano De Cristofaro 2 , Daniele Perito 1 1 INRIA Rhone Alpes, Montbonnot, France 2 University of California - Irvine http://planete.inrialpes.fr/projects/private-information-disclosure-from-web-searches The Session Hijack Attack 1 Listen passively on a unencrypted channel (e.g., wi-fi hotspot). 2 Capture an HTTP Authentication Cookie. 3 Replay captured cookie to impersonate a user. Session Hijacking is very well-known and can be prevented by transmitting authentication cookies only over HTTPS. Google Authentication All Google services are accessible with a single set of credentials. Authentication to all services is done on the Accounts page (on HTTPS). Services considered “sensitive” (e.g., Gmail) are then served on HTTPS. All other services (including Google Search) are then served on HTTP. Hint: A service using HTTP cookie-based authentication is sensible to Session Hijacking. Session Hijacking on Google We monitored the INRIA network for 2-weeks, and explored the percentage of successfully hijacked accounts for the following Google services: Type of information leaked Corresponding service Accessible Accounts Blogs followed on Reader Reader 15% Address book Contacts 87% Maps search history Maps 79% Default address on Maps Maps 5% Financial portfolio Portfolio 1% First/Last name Maps profile 75% Bookmarks Bookmarks 27% Google Web History Available at www.google.com/history. It is an opt-out service that stores all Web searches conducted by a signed-in user. Google’s Protection: To prevent session hijacking, signed-in users are asked to re-enter their credentials to access Web History. Figure: An example of a user’s Google Web History. Google Personalized Services Personalized Results. Search results are personalized based on user search history. Personalized Suggestions. User receives max 3 as-you-type keyword suggestions based on previously conducted searches. History suggestions Generic suggestions Figure: An example of Google Personalized Suggestions. Hint: Authentication to Google Search is implemented using HTTP cookies. The Historiographer The Historiographer is an inference attack that reconstructs a user’s Web History and circumvents Google’s stricter access control policy. 1 Capture the HTTP authentication cookie used by the victim accessing Google Search. 2 Replay the cookie to conduct searches while impersonating the victim. 3 Exploit the personalized suggestions to discover searches previously conducted by the victim. Suggestions start to be sent already after 2- or 3-letter keystrokes. 4 Reconstruct the victim’s Web History. Access control Authorized access Unauthorized access Sensitive data (History) Non-sensitive data (Suggestions) Infer/reconstruct Figure: The Historiographer inference attack. The attack is much more powerful than monitoring the victim’s network: it potentially retrieves all searches conducted by the victim, even if done from different networks and different computers. Google’s Countermeasures After receiving a preliminary report, Google disabled the personalized sug- gestions for several weeks. Later on, Google started encrypting back-end server requests associated with personalized suggestions. Note, however, that searches conducted from mobile phones are still vulnerable. Additional information and discussion is available on the project page. Tree Algorithm We use a tree-based algorithm to optimally trade-off the attack’s accuracy with the number of requests. We only simulate the keystrokes of the most frequent 2-letter prefixes. Only if 3 suggestions are returned, there may be additional entries in the Web History, thus, we add another letter, as in the example below. co re in ... oc ya de con com ... coe cof 3 results 1 result stop 2 results stop (1) (2) Within a few hundred simulated keystrokes, one can retrieve a conspicuous portion of Web History. Experimental Results We ran the Historiographer on 2-weeks anonymized traffic from INRIA internal network, a TOR exit node, and on 10 volunteers. 1 Number of potential victims. Percentage of users searching on Google while signed-in and with Web History enabled: 45%. 2 Historiographer’s accuracy. Percentage of entries recovered from the Web History (on volunteers): 60% with 400 requests. The Privacy Threats Many Google services are still vulnerable to simple session hijacking. Several studies have showed that user searches are to be considered highly sensitive: the Historiographer may severely endanger user privacy. Data exposed by the Web History may be combined with other publicly available data or location-based services. Personalized Services (personalized searches, but also personalized results) leak private information and must be provided over encrypted channels. Although focused on specific features of Google, we do not aim to attack Google – other search engines, e.g., Bing, also presents similar vulnerabilities. We highlight the general problem of protecting privacy of sensitive data when using mixed architecture with both secure and insecure connections.

Upload: others

Post on 11-Feb-2022

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Poster - Emiliano De Cristofaro

Private Information Disclosure from Web SearchesClaude Castelluccia1, Emiliano De Cristofaro2, Daniele Perito1

1INRIA Rhone Alpes, Montbonnot, France 2University of California - Irvinehttp://planete.inrialpes.fr/projects/private-information-disclosure-from-web-searches

The Session Hijack Attack

1 Listen passively on a unencrypted channel (e.g., wi-fi hotspot).2 Capture an HTTP Authentication Cookie.3 Replay captured cookie to impersonate a user.Session Hijacking is very well-known and can be prevented by transmittingauthentication cookies only over HTTPS.

Google Authentication

• All Google services are accessible with a single set of credentials.• Authentication to all services is done on the Accounts page (on HTTPS).

• Services considered “sensitive” (e.g., Gmail) are then served on HTTPS.• All other services (including Google Search) are then served on HTTP.

Hint: A service using HTTP cookie-based authentication is sensible to SessionHijacking.

Session Hijacking on Google

We monitored the INRIA network for 2-weeks, and explored the percentage ofsuccessfully hijacked accounts for the following Google services:

Type of information leaked Corresponding service Accessible AccountsBlogs followed on Reader Reader 15%

Address book Contacts 87%Maps search history Maps 79%

Default address on Maps Maps 5%Financial portfolio Portfolio 1%First/Last name Maps profile 75%

Bookmarks Bookmarks 27%

Google Web History

• Available at www.google.com/history.• It is an opt-out service that stores all Web searches conducted by asigned-in user.

• Google’s Protection: To prevent session hijacking, signed-in users areasked to re-enter their credentials to access Web History.

Figure: An example of a user’s Google Web History.

Google Personalized Services

• Personalized Results. Search results are personalized based on usersearch history.

• Personalized Suggestions. User receives max 3 as-you-type keywordsuggestions based on previously conducted searches.

Historysuggestions

Genericsuggestions

Figure: An example of Google Personalized Suggestions.

Hint: Authentication to Google Search is implemented using HTTP cookies.

The Historiographer

The Historiographer is an inference attack that reconstructs a user’s WebHistory and circumvents Google’s stricter access control policy.1 Capture the HTTP authentication cookie used by the victim accessingGoogle Search.

2 Replay the cookie to conduct searches while impersonating the victim.3 Exploit the personalized suggestions to discover searches previouslyconducted by the victim.• Suggestions start to be sent already after 2- or 3-letter keystrokes.

4 Reconstruct the victim’s Web History.

Access control

Authorized access Unauthorized access

Sensitive data (History)Non-sensitive data(Suggestions) Infer/reconstruct

Figure: The Historiographer inference attack.

The attack is much more powerful than monitoring the victim’s network: itpotentially retrieves all searches conducted by the victim, even if done fromdifferent networks and different computers.

Google’s Countermeasures

After receiving a preliminary report, Google disabled the personalized sug-gestions for several weeks. Later on, Google started encrypting back-endserver requests associated with personalized suggestions. Note, however,that searches conducted from mobile phones are still vulnerable. Additionalinformation and discussion is available on the project page.

Tree Algorithm

• We use a tree-based algorithm to optimally trade-off the attack’s accuracywith the number of requests.

• We only simulate the keystrokes of the most frequent 2-letter prefixes.• Only if 3 suggestions are returned, there may be additional entries in theWeb History, thus, we add another letter, as in the example below.

co re in ... oc yade

con com ... coe cof

3 results 1 result

stop

2 results

stop

(1)

(2)

Within a few hundred simulated keystrokes, one can retrieve a conspicuousportion of Web History.

Experimental Results

We ran the Historiographer on 2-weeks anonymized traffic from INRIA internalnetwork, a TOR exit node, and on 10 volunteers.1 Number of potential victims. Percentage of users searching on Googlewhile signed-in and with Web History enabled: ∼45%.

2 Historiographer’s accuracy. Percentage of entries recovered from theWeb History (on volunteers): ∼60% with ∼400 requests.

The Privacy Threats

• Many Google services are still vulnerable to simple session hijacking.• Several studies have showed that user searches are to be consideredhighly sensitive: the Historiographer may severely endanger user privacy.

• Data exposed by the Web History may be combined with other publiclyavailable data or location-based services.

• Personalized Services (personalized searches, but also personalizedresults) leak private information and must be provided over encryptedchannels.

Although focused on specific features of Google, we do not aim to attackGoogle – other search engines, e.g., Bing, also presents similar vulnerabilities.We highlight the general problem of protecting privacy of sensitive data whenusing mixed architecture with both secure and insecure connections.

www.google.com/history

Emiliano Gonzalez 84

Sonia Cristofaro (University of Pavia) · Sonia Cristofaro - TypoLing 2016, Porquerolles, 14/9/2016 4 For example, there is a universal whereby, if accusative case marking is used

Unboxing the White-Box - Riscure · 2019. 4. 30. · Unboxing the White-Box Practical attacks against Obfuscated Ciphers Eloi Sanfelix [email protected] Cristofaro Mune [email protected]

Who was Emiliano Zapata?

A Comparative Usability Study of Two-Factor Authentication Emiliano de Cristofaro 1, Honglu Du 2, Julien Freudiger 2, Gregory Norcie 3 UCL 1, PARC 2, Indiana

Privacy in Content Oriented Networking: Threats and countermeasures Abdelberi Chaabane, Emiliano De Cristofaro, Mohamed Ali Kaafar, and Ersin Uzun

Emiliano Duch Workshop

Emiliano Duch

Camino Neocatecumenal - Emiliano Jimenez Hernandez

Emiliano Zapata Elementary Academy - …schoolreports.cps.edu/CIWP_2012/SchoolID609973... · Emiliano Zapata Elementary Academy ... quarterly meetings concerning high school and higher

INSTITUCIÓN EDUCATIVA EMILIANO GARCÍAmaster2000.net/recursos/menu/10/385/mper_arch_1561_planeacion 9... · sombreadas. INSTITUCIÓN EDUCATIVA EMILIANO GARCÍA Girardota –Antioquia

Curriculum Vitae de Emiliano

Web Services Invocation over BluetoothWeb Services Invocation over Bluetooth Auletta Vincenzo, Blundo Carlo, De Cristofaro Emiliano, Raimato Guerriero Dipartimento di Informatica ed

Paying for Likes? Understanding Facebook Like Fraud Using ... · PDF filePaying for Likes? Understanding Facebook Like Fraud Using Honeypots Emiliano De Cristofaro University College

1, Roberta Baronio Emiliano De Cristofaro · 2012-08-23 · children genetic diseases with Mendelian inheritance [1] 8 Imagefrom:&dnares.in& [1] V. McKusick and S. Antonarakis. Mendelian

Emiliano Zapata: Figure, Image, Symbol

Clarisa Valdez...Portfolio. Created for Mad Samurai Productions and Daniel DiMarco 2 Movie Poster Design Art Direction and Design Juggernaut 2017. ... Created for Piano and Emiliano

EMILIANO MAGGI - OPERATIVA ARTE

Emiliano Zapata, biografia para niños

1 Do I Know You? Efficient, Privacy-Preserving Protocols for Finding Common Friends Marcin Nagy, Aalto University (joint work with Emiliano De Cristofaro,

Massimo de Cristofaro Head, New Methods for Training National School of Government

Emiliano CV- updated - JAN-2016

Emiliano Zapata

Alexandros Mittos*, Bradley Malin, and Emiliano De Cristofaro … · 2019-08-02 · one hundred thousand patients, focusing on rare diseases and cancer [Gen17]. The rise of data-driven

Emiliano Moretti - Palermo

Paying for Likes? Understanding Facebook Like Fraud · PDF filePaying for Likes? Understanding Facebook Like Fraud Using Honeypots Emiliano De Cristofaro University Colege London London,

joint work with Nikhil Savale Dan Cristofaro-Gardiner

Cristofaro-Method for Mandolin

Emiliano Presentation JAN -2016

Prof. Emiliano Casalicchio

Emiliano Sampaio Mereneu Project

Emiliano bernasconi career path update

Deaf/Hard of Hearing Special Education Part 1 Kayla Domingues & Veronica Di Cristofaro

Resume- CV- ilustrador/illustrator- Emiliano Villani

Emiliano Zapata Elementary Academy