Risk
1/26/2010
05:49 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Google Fixes Toolbar Privacy Flaw

Prompted by a report on a privacy problem affecting its browser toolbar add-on, Google has addressed the issue with an update.

In a report published on Tuesday, Harvard assistant professor and security researcher Benjamin Edelman presented findings about a privacy flaw in the Google Toolbar, Web browser add-on software that makes Google Search more easily accessible through Internet Explorer and Firefox.

In order to do things like compute the PageRank of visited Web pages or list Related Web Pages, the Google Toolbar sends the URLs of Web pages that users view to Google's servers. The Google Toolbar does so only after the user allows this data to be sent.

But the Google Toolbar turns out to be less attentive to users who seek to disable page tracking. Though a user may choose to disable the Enhanced Features that prompt Web page tracking, the Google Toolbar does not respond, at least until the user restarts his or her browser.

"I'm reminded of The Eagles' Hotel California," muses Edelman in his report. "'You can check out anytime you like, but you can never leave.'"

Edelman acknowledges in a disclosure statement that he has served as a consultant for Google's competitors and has litigated against the company on behalf of plaintiffs. But such relationships, though invariably mentioned by Google representatives, do not change the validity of his findings.

Indeed, Google has acknowledged that its Toolbar wasn't working as it should have been and has issued fix.

"To be clear, this is only an issue until a user restarts the browser, and it only affects the currently open tabs for a small number of users," said a Google spokesperson in an e-mailed statement. "Specifically it affects those using Google Toolbar versions 6.3.911.1819 through 6.4.1311.42 in Internet Explorer, with enhanced features enabled, who chose to disable Toolbar without uninstalling it. Once the user restarts the browser, the issue is no longer present. A fix that doesn't require a browser restart is now available on www.google.com/toolbar and in an automatic update to Google Toolbar that we are starting tomorrow."

Google has become more attentive to privacy issues in the past two years as critics have increasingly depicted the company's appetite for data as a threat.

While Google's popularity suggests that the majority of users trust the company and aren't all that worried about potential privacy risks, competitors nonetheless see online privacy as a point of differentiation.

Search engine Ixquick, for example, plans later this week to introduce a way to browse Web sites privately, using a proxy service, to complement its search service that does not track users.

Online application provider and storage service TransMedia recently changed the default search engine in its Glide OS service from Google to Bing as a show of support for Microsoft's data retention period reduction and promised not to use user data for targeted advertising. The company is also looking into a new legal structure for cloud computing that offers users stronger privacy protection.

Whether privacy moves beyond being something that's theoretically desirable but sacrificed for convenience or discounts remains to be seen. Past efforts to sell privacy as a consumer service failed because the market wasn't there. Moreover, the ongoing success of services like Facebook suggests that sharing trumps privacy.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but you’ll never have complete information and you’ll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?