Monday, October 14, 2013

The unfortunate cookies

Cookies sent over plain HTTP to Google websites can reveal information about a user


Disclaimer
The following has been reported to Google and is considered not an issue

Recently while visiting Google scholar I noticed that on the top right corner my Google username was displayed.

This appeared to me very strange, since I was not accessing this service using HTTPs. I fired up Wireshark and I revisited scholar once again. From the captured traffic it was obvious that my browser was sending a bunch of cookies over plain HTTP. I stored these cookies to a file, I imported them to a Firefox private browsing window and I visited Google scholar once again. To my surprise my username was still there. Moreover I was able to see my citations and my updates just like if I was signed in. By observing the cookies I noticed that most of them were for the domain *.google.gr, so as next step I visited http://www.google.gr/ig  in the same private session: all gadgets that do not require authentication (like weather) were there!

But the surprises continued. I edited the cookies file and I replaced the domain *.google.gr with *.youtube.com, I loaded the new file in a new Firefox private browsing window and I visited http://www.youtube.com. As it can be observed from the screenshot, my username, my subscriptions, as well as posts of my friends in google+, all were there!


It is astonishing how much information about a user can be gained simple by monitoring a mere HTTP session. 

Edit 1:
Even if the user logs out, the captured cookies continue to reveal the same information