Xmarks Smart Search invading privacy

March 3, 2010

...and revealing an underlying browser security problem...

At some point in time I installed foxmarks to synchronise my bookmarks between several computers, at home and at work. It did that, did that well, and did nothing more. Some time ago it changed it's name to Xmarks, and all of a sudden new features, like Smarter Search are enabled by default. Smarter Search will highlight the three top sites in your Google results based on how many people have bookmarked them.

To implement this feature, the Xmarks add-on modifies the search results returned by Google before they are being displayed. In fact, Xmark's privacy policy of September 24, 2009 states:

Unless you opt out, we anonymize, aggregate, and analyze the bookmarks of our users in order to provide a range of Search and Discovery services like Smarter Search, Suggested Tags, and Top Sites. [...] If you use an Xmarks Add-on, it will contact our servers periodically or in response to certain actions you take in your browser. [...] To provide the Smarter Search feature, the Add-on transmits the search query you entered and any search results you receive.

So the Xmarks servers get to see all the search queries I submit, and all the search results I receive. They also see whether I go to the next page - and maybe they even register whether I click a particular link in the search results... And all this harvesting of personal information without a warning, and simply relying on me to opt-out. I am not all that happy about Google collecting all this information about me, and now other parties are trying to collect the same database. And in the case of Xmarks, all this data is linked to your personal account. Any anonymisation towards Google, using a proxy for example, is nicely circumvented by Xmarks...

I have now disabled Smarter Search. But would prefer to see such privacy-invasive options to be disabled by default.

But there is a more fundamental problem lurking here.

From a security point of view, add-ons should not be able to interfere with your browsing session. They should not be able to see the http request being posted, or see and modify the page that is returned as a response. Such a feature enables all kinds of browser-in-the-middle (or rather add-on-in-the-middle) attacks. Like an add-on that interferes with your internet banking and modifies account numbers or transaction amounts. Such an add-on operates within the browser, and modifies the data after it leaves the protected SSL/TLS connection. So SSL/TLS is useless in this case.

The security model of browsers should be modified to disallow such add-ons. Or browsers should, at the very least, create a very visible window decoration that makes it absolutely clear that the content being displayed is not the same content that was provided by the host.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
, 2010-03-04 09:33:46

There is a difference between ‘should’ and what would be desirable from a user’s point of view. E.g. Greasemonkey is explicitly strong in modifying what is being displayed vs. what you requested. Same is true for e.g. Adblock.

I agree that the HTTP post should not be interceptable though.