Hackers Can Intercept Sensitive Data over Search Engines
Researchers at Indiana University and Microsoft have demonstrated that you can find and intercept a host of sensitive data over popular search engines. The researchers were able to access health records, search queries, family income and numerous other bits of sensitive information.
By analyzing the size and other attributes of the exchanges between a user and the search engine, researchers were able to determine what type of sensitive data was present. Then, using man-in-the-middle attacks, they were able to acquire the information even when it was encrypted using WPA, SSL of Wi-Fi Protected Access.
“Our research shows that surprisingly detailed sensitive user data can be reliably inferred from the web traffic of a number of high-profile, top-of-the-line web applications,” the researchers wrote. “An eavesdropper can infer the medications/surgeries/illnesses of the user, her annual family income and investment choices and money allocations, even though the web traffic is protected by HTTPS. We also show that even in a corporate building that deploys the up-to-date WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit outside the building to glean the query words entered into employees’ laptops, as if they were exposed in plain text in the air.”
In the paper, the researchers argue that any solutions must be application specific.
“Effective and efficient mitigations have to be application-specific: developers will need to identify the vulnerabilities first, and then specify mitigation policies accordingly,” the researchers wrote. “This effort requires analysis of web application semantics, information flow and network traffic patterns.”
The paper can be viewed here
Related posts:
