14 DAY TRIAL // An MIT researcher has uncovered a privacy hole in Google's search engine, one that inadvertently leaks a user's previous search query if he copy-pastes his current search results URL and shares it with someone else.
The one that came across over this issue is Jeremy Rubin, founder of Tidbit, technical director at the MIT Bitcoin Project, and founder and senior technical advisor for the Digital Currency Initiative @ MIT Media Lab.
Mr. Rubin first noticed something wrong when he received a copy-pasted Google search URL from one of his friends. The URL in question had the following pattern:
https://www.google.com/search?q=first+search&ie=utf-8&oe=utf-8#q=second+search
Apparently, Google was storing the last two search queries in the parameters shown in the user's browser.
Only affected Chrome and Firefox users
After a quick investigation, Mr. Rubin was able to determine that this behavior manifested only in one single type of scenario, for Chrome and Firefox browsers alone.
If someone used the (browser) search bar to search for "term A" and then typed "term B" inside the normal search field on the Google website, both term A and term B would be stored in the page's URL.
This is not such an out-of-the-ordinary scenario since many people first start searching for a term using the browser search bar and later refine it from the search window. In case search queries vary in broad terms, if users copy-paste and share the URL, it can leak sensitive information they did not intend to share.
Google's staff were notified of the problem
Mr. Rubin said that he contacted Google, but the company declined to fix the issue.
Comments on his Medium post where he disclosed this problem also showed that the issue also affected Safari browsers.
Later on, users started reporting that the behavior stopped manifesting in Google's search query URLs, which we can confirm as well since we weren't able to reproduce it in our tests.
We've reached out to Mr. Rubin to confirm that this issue is now fixed and to get more details about his dealings with Google's staff.
UPDATE: Mr. Rubin has answered our email with some details he received from Google's staff.
"I emailed with the security contact at Google and they basically said that this is the intended behavior," said Mr. Rubin.
"They suggested the reason for this behavior is to reduce the bandwidth needed to show new results," Mr. Rubin continued. "HTML5 features make this anchor-changing behavior unneeded, but Google has chosen a more platform-independent solution as the most bandwidth sensitive users may not have HTML5."