Caution: Copy-Pasting URLs from Google Search can Leak Previous Searches

Note: This information has been disclosed to Google appropriately, they have chosen to not fix this behavior.

The other day, my friend sent me a link to a page of search results. I clicked the link, and before I arrived at the page she intended I ever so briefly saw another page of search results, for a pretty generic word she didn’t know the definition of and had used a couple sentences ago.

I almost wrote it off, but I realized this wrong.

What was going on here?

I looked at the URL she sent me, and it looked something like this https://www.google.com/search?q=first+search&ie=utf-8&oe=utf-8#q=second+search.

To replicate a creating a URL like this:

1. Go to Chrome or Firefox
2. Search $X from the search bar, then search $Y from the search page.
3. The URL at the top has both searches $X and $Y in the url query string.

It should be obvious why this is a problem. Users who don’t read the entire query string on copy-paste may accidentally send sensitive searches to third parties. And it’s not just hypothetical, my friend did embarrass herself by not knowing the definition of a generic word.

When I explained to my friend how I was able to figure out that she had looked up the word, she sent back to me the following URL: https://www.google.com/search?q=penis+enlarger&oq=penis+&aqs=chrome.0.69i59j69i65j69i57j0l3.998j0j7&sourceid=chrome&es_sm=91&ie=UTF-8#q=hamlet+the+play. You can use your imagination on the kinds of information people might accidentally leak in this manner.

Implications for Phishing:

Such behavior can also be used in a generic phishing attack, as follows:

Dear $W,

I am a researcher in country $X, where google search is not available. I would greatly appreciate if you could send me the results from searching “$Y” on google as well as the URL should I need to reference it later.

Best,

$Z

With some luck, the user will have used an existing search session and by disclosing the URL will disclose some prior searches. Perhaps these searches contain sensitive information.

Who is to blame?

One might say that the user is responsible because they copied their information and they pasted it — surely if they cared they would have made sure their link was correct. However, this behavior does not meet user’s expectations that a URL is “safe to share”, nor does it meet their real-word behavior of blindly copy-pasting URLs, especially for something like search results.

Imagine if you went to the library, checked out a couple books about your embarrassing medical condition, returned them, and then checked out a copy of 1984. You later tell your friend that 1984 was really great and when they go to check it out they also see what you checked out last time you were at the library! Well, it turns out that 48 states have laws to protect the privacy of library records. Google’s automatic inclusion of prior search terms is a similar violation of a user’s privacy expectations, and they should fix it.

In the mean time, please double check your URLs before sending them to someone else, even on pages that don’t seem to be sensitive, and remind your friends and family to do the same.