EXCLUSIVE: A breach in the encryption mechanism of the DuckDuckGo search engine enables an identification of users’ queries.

A three days long hackathon on the subject of anonymity on the web at Bar Ilan University has exposed breaches in the encryption mechanism of the search engine that boast using the slogan “The search engine that doesn’t track you”. The vpnMentor team cover exclusively the hackathon and accompanied the teams from day one up until the astonishing exposure.


The first hackathon on the subject of anonymity on the Web in Israel, the country which boasts an advanced cyber industry.

Israel, renown as the Start Up Nation has sprouted up numerous cyber firms. For many credit has to be given to the veterans of the Israeli Intelligence Corps who accumulate during their military service a wealth of experience that they bring to the private sector. During the first hackathon to take place in Israel on the subject, a few dozens of people gathered to try and crack sites considered to be secured. The students’ teams were accompanied by experts from the academia and the industry including: Dr Moti Geva, Prof Benny Pinkas, Prof Yehuda Lindell, Dr Tal Steinherz, Inbar Raz, Mr Amit Ashkenazi, Mr Asi Barak, Mr Sudhanshu Chauhan and Mr Kumar Panda.

No one had expected the search engine which boasts non-tracking its users to be revealed as exposed to anybody who checks its outgoing traffic.

BIU team helping

Industry and academy mentors assisting students in the hackathon.

The Auto Suggest mechanism of the search engine enables the identification of whatever the user keyed in.

DuckDuckGo auto Suggest

DuckDuckGo Auto Suggest, as recorded today.

The problem facing the winning team was to determine whether an information leakage from encrypted channels of search engines. The team managed to identify searches which had leaked through the Auto Suggest mechanism of the (supposedly) encrypted DuckDuckGo. They also managed to demonstrate it. What is significant is that whoever is listening to the search traffic is able to see what the user is searching for. So, for instance, when I click on the letter A, the server of the search engine returns to me an AutoComplete, suggesting to me how to complete the word. If I continue and click on B, the search engine will suggest words starting with AB. This way, supposedly, it is possible to create a mechanism which understands what are the words that I have started keying in (and seemingly have finished).

Detection of search queries using packet sizes – Video credit: Ohad Cohen

The winning team was a combination of participants from the Hebrew and from Bar Ilan Universities. It should be noted that the group included 3 females, compared to only 15% of female participants in the event. Low percentages of females are characteristic to technological subjects and so we were delighted to see how the female brain has contributed here to the variety and to the actual achievement of the winning position.


Update: a few hours after publishing this story, we managed to get an official response from DDG (vpnMentor tried contacting DDG for a response last week already). See the communication we had with DDG.


Was this helpful? Share it!