A Punctuation Error May Expose Users’ Search Terms to ISPs Via Chrome And Firefox

Heads up, Chrome and Firefox users! Try not to include any hyphens in your search queries if you don’t want the ISPs to know them. According to a researcher, this punctuation error may expose search terms to the ISPs due to browser bugs.

Punctuation Error Expose Search Terms To ISPs

The researcher Duy Khuong discovered last year that typing hyphens in search queries could breach users’ privacy. Regardless of a deliberate hyphen insertion or a punctuation error, the search terms that a user types would always go the ISP’s when browsing via Google Chrome or Mozilla Firefox.

The problem doesn’t affect regular search terms as most browsers, including Firefox and Chrome, already disallow it. However, if a user types a hyphen between two words, it would then be transmitted to the ISPs’ DNS.

According to the bug report that Khuong reported to Mozilla, this issue persists even if the user has enabled DNS-over-HTTPS.

-An ISP’s server address is set as one of the “Connection-specific DNS suffixes”, when DHCP is used.
-With a DNS suffix is set, Firefox (mis-)interpret the search term (followed by the suffix, “search-term.[suffix]”) as a potentially-valid domain name and therefore sends a DNS query to ask for its IP address.
-The problem is, despite the fact that DoH is enabled by the user, when sending the DNS query, Firefox does not treat the “search-term.[suffix]” in the same way as other domain names and therefore send it in plain text.
-As a consequence, the DNS query is logged and the search-term is recorded and sent to the suffix server (which belongs to ISP), without user’s consent.

The same is also under discussion at Google as it appears from the bug report when the researcher followed up.

Here, another Google developer even highlighted that the problem may be worse for Japanese search queries.

In Japanese, “one word” search text is used more than English language.
Because japanese natual sentence have no spaceing. (Ex. 自然な日本語にはスペースがないからです。)

Any Patches Yet?

Google is currently working on a patch to address this problem for good. Google plans to disable the vulnerable feature by default, and it’ll roll out the changes in “coming weeks”.

While Google has planned to disable the “omnibox’s Intranet Redirect Detector feature”, according to The Daily Swig, the researcher doesn’t support this fix. That’s because reenabling this feature would be a hassle for the enterprises using it. Also, it won’t be a permanent fix.

Hence, the researcher instead argues adding a “slash” as a rule for redirection.

As for Mozilla Firefox, the service states that setting up network.trr.split_horizon_mitigations: false can help prevent the search term leaks. Users can manually adjust this setting from Firefox 82 and onward.

Let us know your thoughts in the comments.

Related posts

Google Cloud To Implement MFA as a Mandatory Feature

Opera Browser Vulnerability Could Allow Exploits Via Browser Extensions

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder