1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A Chrome Extension Leaks Your History

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, May 6, 2010.

  1. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    Invisible Hand Chrome Extension Leaks Your Google History to Online Stores

    Firefox extension Invisible Hand quietly shows web shoppers better prices. The Chrome version, it seems, has some interesting privacy concerns attached to it, which could potentially relay what you've been doing on the web to Amazon and other online merchants.

    Since Chrome (and Internet Explorer) do not "sandbox" background HTTP requests from installed extensions, or separate them from other tabs, the extension's efforts to find deals and discounts will be recorded as separate searches on Amazon and other sites, even though you never actually made those searches yourself.

    This may be fine for some users; in fact, it could be helpful when you're shopping?but not for more privacy conscious users, or those that don't want certain Google searches influencing their "recommended for you" list on Amazon's homepage.

    While searches are leaked to all stores, Amazon is the only site to use them so prominently.

    The solution? There's always incognito mode, with Invisible Hand and similar extensions disabled, although that isn't necessarily practical if you want to protect all your Google searches, since you'd have to have it running pretty much all the time.

    You could also use Firefox instead of Chrome, which, due to HTTP sandboxing, does not have this problem with the Invisible Hand extension.

    There's also a preference within the extension to turn it off for Google searches, which will stop the leak through Google, though searches on other stores such as, say, BestBuy.com will still leak to Amazon.

    Probably your best option is to disable the extension altogether, and re-enable it only when you're in a session dedicated to online shopping, since Chrome extensions are super easy to turn on and off.

    Chrome won't even require a restart if you enable and disable an extension in such a manner.

    Hit the link for more detailed information about the leak and why the behavior isn't likely to change soon.

    http://www.cnet.com/8301-31361_1-20004265-254.html

    http://lifehacker.com/5532639/invis...on-leaks-your-google-history-to-online-stores