back to article Mulled Chrome API shines light on long-neglected privacy gap: Sites can snoop on your find-in-page searches

A browser feature being developed for the open-source Chromium platform has raised data-leakage privacy concerns – though the Google engineers working on the project contend the potential benefits outweigh the risks. The issue – potential leakage of text entered into the find-in-page search popup invoked by hitting the CTRL-F …

  1. A Non e-mouse Silver badge

    The Register asked AppsFlyer if anyone could explain why the company website implements its own search box instead of using the native [one]

    "We believe our solutuon offers the end user a much richer experience when visiting our site."

    "So we can better stalk you."

    Simples.

    1. ratfox

      The examples I know where the website reimplements the search functionality are when the page content is dynamically loaded. One such "website" is Google Sheets. You don't want the huge spreadsheet to be loaded in the browser, so only the part you see is downloaded. For the search functionality, the tool actually sends the search query to the server, which finds and sends back the relevant part of the page.

      1. Anonymous Coward
        Anonymous Coward

        I'm just a hobbyist now, but that method is WAY too slow for me, does Google Sheets really work like that? I would up using something that basically equated to (link_list = 5 * (height / lines)), which fully loads what is visible, then 2 buffers of results both above and below the visible area. But I have tried it the way you're suggesting (and a few others), but that specific way was always slower on insertion. The way I side stepped long literal CTRL+F style searches was by hashing each line prior on the server so the server could then just spit out linked lists of whatever size. Yeh, the initial CPU usage on the server during document creation is hefty, but if you want snappy results and lower subsequent server CPU loads.... :-/. Again though, I'm just a couch coder, but I really couldn't get that method to work great (at least not on a Raspberry Pi). I understand both ways are similar, but fetching only what is visible and having the server search like that every time?

  2. cantankerous swineherd Silver badge

    good way of looking at password <input>s

    1. A Non e-mouse Silver badge

      I kinda hope that password fields can't be read. Maybe I'm being naive, though...

      1. Jim Mitchell Silver badge

        If you are filling in a password field in a webpage, of a website you don't trust, just what are you doing?

      2. Psmo

        If you're reusing a password with a word that can be returned by a keyword search yes I think you are naïve.

    2. Psmo

      If secrets and/or hidden info are ending up on the client in easily readable format you are a bad developer doing bad things with your bad skills and you should feel bad.

      And maybe have your fingers broken so you type slower and think more.

  3. don't you hate it when you lose your account Silver badge

    Privacy

    Is a dirty word in these modern times :( even worse than asking industry to stop polluting.

    1. HildyJ Silver badge
      WTF?

      Re: Privacy

      Another reason to use a non Chromium browser. I, personally, prefer Firefox with uBlock Origin and a passel of lists.

  4. Pascal Monett Silver badge

    "the potential benefits outweigh the risks"

    The potential benefits for who ?

    Also, is this a pure-Chromium issue, or are other browsers at risk also ?

    In any case, I note that this is, once again, a JavaScript issue. And that means, once again, that NoScript saves the day.

    NoScript : protecting privacy every day, without fail.

    1. Graham Dawson Silver badge

      Re: "the potential benefits outweigh the risks"

      Google docs and sheets override the default search behaviour to implement their own in-app searches.

  5. Twanky
    Flame

    Expectations

    For example, if a portion of a webpage has been collapsed so the text is not visible, a find-in-page request would not work as expected.

    Yes it would - the search wouldn't find the text, exactly as expected because it isn't there.

    Where's the logic in hiding text on a web page and waiting for the user to expand it later - apart from slurping, obvs.

    1. Blazde Silver badge

      Re: Expectations

      Firefox find-in-page finds hidden text. It is a bit useful and sometimes expected, because Google will index pages based on their hidden text and so people come to a page expecting to find something that's not visible. What's less useful is that it's still hidden after FF finds it and some text is hidden without a way to unhide it (eg. text for SEO). The Chrome solution won't address that either.

      "Where's the logic in hiding text on a web page and waiting for the user to expand it later"

      The same logic which gives us books printed on individual pages bound into a handy volume instead of a single 10x10 metre sheet of paper. It makes navigation easier. The alternative is text isn't there until you want it and it's fetched from the server, which makes slurping easy too.

      1. Twanky

        Re: Expectations

        The book analogy doesn't quite work for me. As you point out, a major feature of a book is that it's on convenient sized pages so it can easily be handled and one page leads to the next. The only place I've seen hidden-until-you-reveal-it text in a book is when reading to my grandchildren when they were under five years old. A web page being analogous to a book page perhaps these are aimed at the under-five mentality too?

  6. Wade Burchette Silver badge

    Thanks Reg!

    I just added appsflyer.com to my router's blacklist. I have already banished doubleclick and Microsoft telemetry and some really bad web stalkers.

  7. Psmo

    Finally

    I never understood why this functionnality was not already in place:

    • When you use a site's search box, you are already giving them and their third-party search box the information, and the returned information is theirs anyway
    • Searching across multi-tabbed config pages and menus becomes more logical
    • Allows a logical overlaps of the results between page and global search.
    • Allows optimising of the page layout depending on real user interest without the stalkery techniques used today

    The last two are awkward, but in my view navigating of Zottabytes of potentially useful information can't be done without it.

    Of course, this is Google/ Chrome so they'll be able to drown any potentially useful gains in stalker juice. It might serve as a base for someone else, though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021