Risk
1/26/2010
05:49 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Fixes Toolbar Privacy Flaw

Prompted by a report on a privacy problem affecting its browser toolbar add-on, Google has addressed the issue with an update.

In a report published on Tuesday, Harvard assistant professor and security researcher Benjamin Edelman presented findings about a privacy flaw in the Google Toolbar, Web browser add-on software that makes Google Search more easily accessible through Internet Explorer and Firefox.

In order to do things like compute the PageRank of visited Web pages or list Related Web Pages, the Google Toolbar sends the URLs of Web pages that users view to Google's servers. The Google Toolbar does so only after the user allows this data to be sent.

But the Google Toolbar turns out to be less attentive to users who seek to disable page tracking. Though a user may choose to disable the Enhanced Features that prompt Web page tracking, the Google Toolbar does not respond, at least until the user restarts his or her browser.

"I'm reminded of The Eagles' Hotel California," muses Edelman in his report. "'You can check out anytime you like, but you can never leave.'"

Edelman acknowledges in a disclosure statement that he has served as a consultant for Google's competitors and has litigated against the company on behalf of plaintiffs. But such relationships, though invariably mentioned by Google representatives, do not change the validity of his findings.

Indeed, Google has acknowledged that its Toolbar wasn't working as it should have been and has issued fix.

"To be clear, this is only an issue until a user restarts the browser, and it only affects the currently open tabs for a small number of users," said a Google spokesperson in an e-mailed statement. "Specifically it affects those using Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 in Internet Explorer, with enhanced features enabled, who chose to disable Toolbar without uninstalling it. Once the user restarts the browser, the issue is no longer present. A fix that doesn't require a browser restart is now available on www.google.com/toolbar and in an automatic update to Google Toolbar that we are starting tomorrow."

Google has become more attentive to privacy issues in the past two years as critics have increasingly depicted the company's appetite for data as a threat.

While Google's popularity suggests that the majority of users trust the company and aren't all that worried about potential privacy risks, competitors nonetheless see online privacy as a point of differentiation.

Search engine Ixquick, for example, plans later this week to introduce a way to browse Web sites privately, using a proxy service, to complement its search service that does not track users.

Online application provider and storage service TransMedia recently changed the default search engine in its Glide OS service from Google to Bing as a show of support for Microsoft's data retention period reduction and promised not to use user data for targeted advertising. The company is also looking into a new legal structure for cloud computing that offers users stronger privacy protection.

Whether privacy moves beyond being something that's theoretically desirable but sacrificed for convenience or discounts remains to be seen. Past efforts to sell privacy as a consumer service failed because the market wasn't there. Moreover, the ongoing success of services like Facebook suggests that sharing trumps privacy.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.