Risk
1/26/2010
05:49 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Fixes Toolbar Privacy Flaw

Prompted by a report on a privacy problem affecting its browser toolbar add-on, Google has addressed the issue with an update.

In a report published on Tuesday, Harvard assistant professor and security researcher Benjamin Edelman presented findings about a privacy flaw in the Google Toolbar, Web browser add-on software that makes Google Search more easily accessible through Internet Explorer and Firefox.

In order to do things like compute the PageRank of visited Web pages or list Related Web Pages, the Google Toolbar sends the URLs of Web pages that users view to Google's servers. The Google Toolbar does so only after the user allows this data to be sent.

But the Google Toolbar turns out to be less attentive to users who seek to disable page tracking. Though a user may choose to disable the Enhanced Features that prompt Web page tracking, the Google Toolbar does not respond, at least until the user restarts his or her browser.

"I'm reminded of The Eagles' Hotel California," muses Edelman in his report. "'You can check out anytime you like, but you can never leave.'"

Edelman acknowledges in a disclosure statement that he has served as a consultant for Google's competitors and has litigated against the company on behalf of plaintiffs. But such relationships, though invariably mentioned by Google representatives, do not change the validity of his findings.

Indeed, Google has acknowledged that its Toolbar wasn't working as it should have been and has issued fix.

"To be clear, this is only an issue until a user restarts the browser, and it only affects the currently open tabs for a small number of users," said a Google spokesperson in an e-mailed statement. "Specifically it affects those using Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 in Internet Explorer, with enhanced features enabled, who chose to disable Toolbar without uninstalling it. Once the user restarts the browser, the issue is no longer present. A fix that doesn't require a browser restart is now available on www.google.com/toolbar and in an automatic update to Google Toolbar that we are starting tomorrow."

Google has become more attentive to privacy issues in the past two years as critics have increasingly depicted the company's appetite for data as a threat.

While Google's popularity suggests that the majority of users trust the company and aren't all that worried about potential privacy risks, competitors nonetheless see online privacy as a point of differentiation.

Search engine Ixquick, for example, plans later this week to introduce a way to browse Web sites privately, using a proxy service, to complement its search service that does not track users.

Online application provider and storage service TransMedia recently changed the default search engine in its Glide OS service from Google to Bing as a show of support for Microsoft's data retention period reduction and promised not to use user data for targeted advertising. The company is also looking into a new legal structure for cloud computing that offers users stronger privacy protection.

Whether privacy moves beyond being something that's theoretically desirable but sacrificed for convenience or discounts remains to be seen. Past efforts to sell privacy as a consumer service failed because the market wasn't there. Moreover, the ongoing success of services like Facebook suggests that sharing trumps privacy.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.