Re: [Full-Disclosure] Google Search and Gmail Correlation

• Previous message: Dave C: "[Full-Disclosure] Re: Incorrect Classification of iDownload's Product as Spyware..."
• In reply to: Cody Hatch: "[Full-Disclosure] Google Search and Gmail Correlation"
• Next in thread: Aditya Deshmukh: "RE: [Full-Disclosure] Google Search and Gmail Correlation"
• Reply: Aditya Deshmukh: "RE: [Full-Disclosure] Google Search and Gmail Correlation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Thu, 24 Feb 2005 13:12:24 +0100

Hello Cody,

I think that what you are observing is this: the cookie you get when
visiting your gmail account is valid for the whole google.com domain, and
therefore will be transferred again when you do web searches as well.

As you write, this is not a bug per se, the cookie mechanism is working as
expected.

It is also obvious that such an approach may raise privacy concerns.

Now, *if* google wanted to mitigate this problem, it would be easy. They
should migrate the gmail service web frontend to a subdomain (say:
gmail.google.com) or even a whole new domain (gmail.com exists already but
www.gmail.com merely redirects) and make the cookie only valid in that
domain/subdomain.

The questions is, do they want to do this?

And yes, for now, if you are privacy conscious, delete the cookie before
doing a Google search (or using any other Google service).

Regards:

Szilveszter Adam
Budapest
Hungary
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Dave C: "[Full-Disclosure] Re: Incorrect Classification of iDownload's Product as Spyware..."
• In reply to: Cody Hatch: "[Full-Disclosure] Google Search and Gmail Correlation"
• Next in thread: Aditya Deshmukh: "RE: [Full-Disclosure] Google Search and Gmail Correlation"
• Reply: Aditya Deshmukh: "RE: [Full-Disclosure] Google Search and Gmail Correlation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable ... JavaScript code was being loaded. ... This would work if the session cookie is restricted to ... then google did two things. ... GMail account, but has nothing to do with CAPTCHAs. ... (Full-Disclosure) Re: OT: Google and Privacy ... > "As usual, Google was incredibly difficult to deal with," he said. ... a cookie is not a program. ... and the site tells your browser "you're ... say "damn those geiger counters, they're nothing but trouble -- and they ... (alt.smokers.cigars) Re: Protesting google groups ... >>Google is kind of an electronic ankle monitor. ... Google's immortal cookie: ... >of privacy seems ridiculous - if you don't want Google to know ... How is this a violation of privacy? ... (sci.math) Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable ... JavaScript script in somewhere.google.com, and this JavaScript deleted ... This would work if the session cookie is restricted to ... My note about using NoScript to restrict JavaScript execution to ... then google did two things. ... (Full-Disclosure) Re: This Administration is starting to worry me. ... >>> Next time I use Google, ... >> Kevin W. Miller ... If the server pings me, ... the cookie and gives it to your machine. ... (rec.outdoors.rv-travel)