Monday, October 14, 2013

The unfortunate cookies

Cookies sent over plain HTTP to Google websites can reveal information about a user

The following has been reported to Google and is considered not an issue

Recently while visiting Google scholar I noticed that on the top right corner my Google username was displayed.

This appeared to me very strange, since I was not accessing this service using HTTPs. I fired up Wireshark and I revisited scholar once again. From the captured traffic it was obvious that my browser was sending a bunch of cookies over plain HTTP. I stored these cookies to a file, I imported them to a Firefox private browsing window and I visited Google scholar once again. To my surprise my username was still there. Moreover I was able to see my citations and my updates just like if I was signed in. By observing the cookies I noticed that most of them were for the domain *, so as next step I visited  in the same private session: all gadgets that do not require authentication (like weather) were there!

But the surprises continued. I edited the cookies file and I replaced the domain * with *, I loaded the new file in a new Firefox private browsing window and I visited As it can be observed from the screenshot, my username, my subscriptions, as well as posts of my friends in google+, all were there!

It is astonishing how much information about a user can be gained simple by monitoring a mere HTTP session. 

Edit 1:
Even if the user logs out, the captured cookies continue to reveal the same information