Security News > 2020 > May > Mulled Chrome API shines light on long-neglected privacy gap: Sites can snoop on your find-in-page searches

Mulled Chrome API shines light on long-neglected privacy gap: Sites can snoop on your find-in-page searches
2020-05-27 05:04

"In particular, the page can know which section of text was found using find-in-page, fragment navigation, and scroll-to-text navigation," the documentation says, adding that developers could also glean information about what the user navigated to - via scroll-to-text navigation, or typed into a find-in-page search box - based on which section of the page receives an event.

The privacy risk of beforematch is not that of key logging - recording exactly what a web page user typed into a search dialog.

In other words, the privacy problem here - that users don't expect a search on a locally loaded web page to be potentially readable like a search query sent out over the network - goes beyond Chromium's beforematch API. It's present in other APIs.

In an email to The Register, Serge Egelman, director of usable security and privacy at the International Computer Science Institute in Berkeley, California, and CTO of privacy analysis biz AppCensus.io, said he recently came across an ad tech company, AppsFlyer.com, that had implemented its own search box to handle find-in-page searches instead of relying on the built-in browser capability.

In a statement provided after this story was filed, a spokesperson for AppsFlyer said, "We implemented our own search within articles because some of the information needed by our customers cannot be accessed by native search. AppsFlyer does not collect or share search data. The last searches are stored locally in the browser for better user experience."


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/05/27/web_privacy_worries_trust_us/