Two researchers have shown how a modded version of the Firesheep Wi-Fi sniffing tool can be used to access most of a victim's Google Web History and collect a record of everything an individual has searched for.
The core weakness discovered by the proof-of-concept attack devised by Vincent Toubiana and Vincent Verdot lies with what is called a Session ID (SID) cookie, used to identify a user to each service they access while logged in to one of Google's services.
Every time the user accesses an application, the same SID cookie is sent in the clear, which the Firesheep captures from the data sent to and from a PC connected to a non-encrypted public Wi-Fi hotspot.
Because many of Google's services use HTTPS (Gmail for instance), the attacker has to find a way to get the user to resend this SID. The most direct method is to set up a rogue access point and then use an iFrame to direct the user to a Google service (such as Alerts) that doesn't use an encrypted channel.
The attack also requires that the user has Google Web History tracking turned on. This is the system that keeps tabs of a user's search history and many people are not even aware exists because it is set as during Google's account setup procedure.
Testing the technique against 10 volunteers, the researchers were able to retrieve up to 82% of the links visited by them during the test period.
The only current defence against this attack is for users to remains signed out of Google while using a Wi-Fi hotspot or to set up a personal VPN. Users could also disable Google Web History or purge its contents.
Firesheep is a browser-based plug-in published a year ago by security developer Eric Butler to highlight security vulnerabilities in the way cookies for sites such as Facebook and Twitter were being exchanged across open Wi-Fi links without HTTPS turned on. Although not a new issue, Firesheep showed how easy it was to turn the flaw into a simple tool that could be used by any attacker.