Risk
1/26/2010
05:49 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Fixes Toolbar Privacy Flaw

Prompted by a report on a privacy problem affecting its browser toolbar add-on, Google has addressed the issue with an update.

In a report published on Tuesday, Harvard assistant professor and security researcher Benjamin Edelman presented findings about a privacy flaw in the Google Toolbar, Web browser add-on software that makes Google Search more easily accessible through Internet Explorer and Firefox.

In order to do things like compute the PageRank of visited Web pages or list Related Web Pages, the Google Toolbar sends the URLs of Web pages that users view to Google's servers. The Google Toolbar does so only after the user allows this data to be sent.

But the Google Toolbar turns out to be less attentive to users who seek to disable page tracking. Though a user may choose to disable the Enhanced Features that prompt Web page tracking, the Google Toolbar does not respond, at least until the user restarts his or her browser.

"I'm reminded of The Eagles' Hotel California," muses Edelman in his report. "'You can check out anytime you like, but you can never leave.'"

Edelman acknowledges in a disclosure statement that he has served as a consultant for Google's competitors and has litigated against the company on behalf of plaintiffs. But such relationships, though invariably mentioned by Google representatives, do not change the validity of his findings.

Indeed, Google has acknowledged that its Toolbar wasn't working as it should have been and has issued fix.

"To be clear, this is only an issue until a user restarts the browser, and it only affects the currently open tabs for a small number of users," said a Google spokesperson in an e-mailed statement. "Specifically it affects those using Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 in Internet Explorer, with enhanced features enabled, who chose to disable Toolbar without uninstalling it. Once the user restarts the browser, the issue is no longer present. A fix that doesn't require a browser restart is now available on www.google.com/toolbar and in an automatic update to Google Toolbar that we are starting tomorrow."

Google has become more attentive to privacy issues in the past two years as critics have increasingly depicted the company's appetite for data as a threat.

While Google's popularity suggests that the majority of users trust the company and aren't all that worried about potential privacy risks, competitors nonetheless see online privacy as a point of differentiation.

Search engine Ixquick, for example, plans later this week to introduce a way to browse Web sites privately, using a proxy service, to complement its search service that does not track users.

Online application provider and storage service TransMedia recently changed the default search engine in its Glide OS service from Google to Bing as a show of support for Microsoft's data retention period reduction and promised not to use user data for targeted advertising. The company is also looking into a new legal structure for cloud computing that offers users stronger privacy protection.

Whether privacy moves beyond being something that's theoretically desirable but sacrificed for convenience or discounts remains to be seen. Past efforts to sell privacy as a consumer service failed because the market wasn't there. Moreover, the ongoing success of services like Facebook suggests that sharing trumps privacy.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.