SANS Digital Forensics and Incident Response Blog

Google Privacy tip of the day

by Jeff Bryner

If I keep writing on Google and forensics, they'll probably re-arrange my searches someday to all return kittenwar. However, just for you I'll sacrifice my sanity to pass on a helpfull tidbit about Google Toolbar.

Whether you're looking to determine information about what's in the toolbar, or looking to protect your privacy you may be interested to know that on startup the toolbar retrieves the favicon.ico file of all sites in your bookmark list.

I don't normally use it, but in deciphering some web traffic I had a hunch to work out so I tested it against XP and IE. I bookmarked two sites, rebooted and restarted IE with a blank home page. The network traffic on starting IE shows hits to the bookmarked sites just after a hit to google:

www.google.com/notebook/token?zx=3SZEx
www.google.com/notebook/toolbar/?cmd=list&tok= \
aRBAwIlBy_NYqYTlGJBr6wjUPYs%3A1233632528845&num=12000&zx=LbDcf&min=1233614147935&all=1
whitehouse.gov/favicon.ico
www.whitehouse.gov/favicon.ico
microsoft.com/favicon.ico
www.microsoft.com/favicon.ico

I had bookmarked microsoft.com and whitehouse.gov without the www, the toolbar apparently follows redirects as does wget:

wget http://microsoft.com/favicon.ico
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.microsoft.com/favicon.ico [following]
HTTP request sent, awaiting response... 200 OK
Length: 3638 (3.6K) [image/x-icon]
Saving to: `favicon.ico'

The traffic won't show in the index.dat file of IE, because IE didn't do it, the user didn't do it. The toolbar did it as a favor to you so when you pull down the bookmark list your icons will be there so you recognize the site.

Now on the surface that may not seem like such a big deal, but it all depends on the sensitivity of what you've got bookmarked. Nuff said?

Jeff Bryner , GCFA Gold #137, also holds the CISSP and GCIH certifications, occasionally teaches for SANS and performs forensics, intrusion analysis, and security architecture work on a daily basis. He just re-upped on GCFA and is now cramming procrastinating his studies for GCIH re-cert.