funsec mailing list archives
Re: Firefox' privacy mode not so private
From: "David Lodge" <dave () cirt net>
Date: Tue, 15 Sep 2009 17:14:16 +0100
On Tue, 15 Sep 2009 00:40:10 +0100, Imri Goldberg <lorgandon () gmail com> wrote:
It seems this was some kind of a 'known secret', but firefox' privacy mode isn't private. Apparently, websites[1] can use flash to store 'Local-Shared-Objects' (LSOs, see http://en.wikipedia.org/wiki/Local_Shared_Object ), which are basically cookies. Firefox' regular capabilities of 'clear all private data' and 'privacy mode', which supposedly don't leave any record of your browsing history, don't erase these files.
It's not really a surprise, and I doubt any browser clears these away as flash stores them in it's area. I've been unrelated research on LSOs recently and hacked up a quick and dirty reader for .sol file. I thought I'd see what information they contain. Most are like marketing cookies and just contains a UID number[1], though some ones may leak information. For example, BBC iPlayer stores the position that you stop a program in in the middle. For example, I nipped over to iPlayer and started the last episode of Mock the Week, then paused it; the LSO contained: [dave@yggdrasil flashsol]$ ./readsol autoResume.sol Shared Object name: autoResume Version: AMF0 items: Array: [ Key 0: Array: [ Key totalTime: Number: 1800.064000 Key prevPos: Number: 265.000000 Key id: String: b00mpq4p ] ] Not too exciting, until we look at the id items[0][id] key and see that this maps to the URL of the program: http://www.bbc.co.uk/iplayer/episode/b00mpq6y/Mock_the_Week_Series_7_Episode_10/ Showing that we could use the LSOs to see what programs have been watched through iPlayer. [1] I think we should set up some sort of cookie/LSO bank: everybody puts on a marketing cookie with the same UID, mess up the marketing figures summat rotten :-) dave _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Firefox' privacy mode not so private Imri Goldberg (Sep 14)
- Re: Firefox' privacy mode not so private Paul Ferguson (Sep 14)
- Re: Firefox' privacy mode not so private Reed Loden (Sep 14)
- Re: Firefox' privacy mode not so private Valdis . Kletnieks (Sep 15)
- Re: Firefox' privacy mode not so private Toralv_Dirro (Sep 15)
- Re: Firefox' privacy mode not so private Imri Goldberg (Sep 15)
- Re: Firefox' privacy mode not so private Toralv_Dirro (Sep 15)
- Re: Firefox' privacy mode not so private der Mouse (Sep 15)
- Re: Firefox' privacy mode not so private Imri Goldberg (Sep 15)
- Re: Firefox' privacy mode not so private David Lodge (Sep 15)
- Re: Firefox' privacy mode not so private Nick FitzGerald (Sep 15)
- Re: Firefox' privacy mode not so private Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 15)
- Re: Firefox' privacy mode not so private Nick FitzGerald (Sep 15)