Exclusive: Encryption Mechanism Breach on DuckDuckGo

DuckDuckGo mascot

A three days long hackathon on the subject of anonymity on the web at Bar Ilan University has exposed breaches in the encryption mechanism of the search engine that boast using the slogan “The search engine that doesn’t track you”. The vpnMentor team cover exclusively the hackathon and accompanied the teams from day one up until the astonishing exposure.

The first hackathon on the subject of anonymity on the Web in Israel, the country which boasts an advanced cyber industry.

Israel, renown as the Start Up Nation has sprouted up numerous cyber firms. For many credit has to be given to the veterans of the Israeli Intelligence Corps who accumulate during their military service a wealth of experience that they bring to the private sector. During the first hackathon to take place in Israel on the subject, a few dozens of people gathered to try and crack sites considered to be secured. The students’ teams were accompanied by experts from the academia and the industry including: Dr Moti Geva, Prof Benny Pinkas, Prof Yehuda Lindell, Dr Tal Steinherz, Inbar Raz, Mr Amit Ashkenazi, Mr Asi Barak, Mr Sudhanshu Chauhan and Mr Kumar Panda.

No one had expected the search engine which boasts non-tracking its users to be revealed as exposed to anybody who checks its outgoing traffic.

BIU team helping

Industry and academy mentors assisting students in the hackathon.

The Auto Suggest mechanism of the search engine enables the identification of whatever the user keyed in.

DuckDuckGo auto suggestion

DuckDuckGo Auto Suggest, as recorded today.

The problem facing the winning team was to determine whether an information leakage from encrypted channels of search engines. The team managed to identify searches which had leaked through the Auto Suggest mechanism of the (supposedly) encrypted DuckDuckGo. They also managed to demonstrate it. What is significant is that whoever is listening to the search traffic is able to see what the user is searching for. So, for instance, when I click on the letter A, the server of the search engine returns to me an AutoComplete, suggesting to me how to complete the word. If I continue and click on B, the search engine will suggest words starting with AB. This way, supposedly, it is possible to create a mechanism which understands what are the words that I have started keying in (and seemingly have finished).

Detection of search queries using packet sizes – Video credit: Ohad Cohen

The winning team was a combination of participants from the Hebrew and from Bar Ilan Universities. It should be noted that the group included 3 females, compared to only 15% of female participants in the event. Low percentages of females are characteristic to technological subjects and so we were delighted to see how the female brain has contributed here to the variety and to the actual achievement of the winning position.

Update: a few hours after publishing this story, we managed to get an official response from DDG (vpnMentor tried contacting DDG for a response last week already). See the communication we had with DDG.

Contact with DuckDuckGo about breach

Privacy Alert!

You are exposing yourself to the websites you visit!

Your IP Address:

Your Location:

Your Internet Provider:

The information above can be used to track you, target you for ads, and monitor what you do online.

VPNs can help you hide this information from websites so that you are protected at all times. We recommend NordVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering  68% off.

Visit NordVPN

Was this helpful? Share it!
Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
Voted by Users
Comment Comment must be from 5 to 2500 characters long.
Thank you for your feedback