Bugtraq mailing list archives
Re: Posible privacy problem in Explorer.
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Fri, 8 Sep 2000 12:56:19 -0700
This indeed seems to be the case. Deleting all cookies, emptying the cache and removing everything from the Temporary Internet Files folder does not make a difference. The web site still displays the saved queries. After some digging around I found where the data is stored (at least in my machine). On my Windows NT 4.0 machine running IE 5 the data is stored under C:\WinNT\Profiles\<user>\UserData\81urcl6v\oQRStore[1].xml It seems some ActiveX control is being use to save XML to the local machine. Not a big problem but certainly a privacy issue. Advertisers would love to use something like this so this since the user is not aware of where the data is stored. -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum Message-ID: <39B84795.8A32DC4F () redestb es> Date: Fri, 08 Sep 2000 03:57:41 +0200 From: "Guille (Bisho)" <guille () redestb es> Reply-To: bisho () eurielec etsit upm es Organization: Eurielec To: bugtraq <BUGTRAQ () SECURITYFOCUS COM> Subject: Posible privacy problem in Explorer. In the Microsoft website http://search.msn.com.mx the use a method to store the searchs done in his search engine, but without cookies and without login&password. You could deactivate the cookies, delete them, log off your ISP, close the explorer, reboot, and the data will be there again. The link to the script is: <A CLASS='CLSSAVE' HREF="" onClick="StoreResult( 1, 'DE' );return false;" ID='DES1'> The function is inside: <SCRIPT SRC="searchui_IE5.js" LANGUAGE="JScript"> This is an ugly script without newlines. I have procesed ir a bit to make it more readable: $ cat searchui_IE5.js | awk '{ gsub(";", ";\n") } { gsub("}"," }\n") } { gsub("{"," {\n") } { gsub("function","\n\nfunction") } { print $0 }' The results are in: http://www.eurielec.etsit.upm.es/~bisho/searchui_IE5.js.txt It uses the called "User Data Persistence" technology, from Microsoft. Extracted from the microsoft knowledge database: --------------------------------------------- Persistence One big pain in the neck for users on the Web is going to a Web page, modifying it the way they want it, leaving, then returning to the site to find it's not the same: the trees are collapsed, forms filled-out have disappeared, and the page must be reset. Internet Explorer 5.0 takes some of this pain away by providing Web-page persistence via a scripting tag. Internet Explorer 5.0 provides four types of persistence: [...] User Data Persistence: Allows an XML-based storage methodology for saving large amounts of user data. If you have a large amount of data that you want to save from some point in time (for example, all of your favorite sport's teams' scores for the last 10 years), you can use persistence rather than cookies. [...] --------------------------------------------- The problem: Most people deactivate Cookies, or set it in the warn level, but the "User Data Persistence" has not warn level, and is oculted far away of the cookies security options. this could be used to track users without their knowledge, when they espect to be safe without cookies. -- \|||||||/ Guillermo Pérez Pérez < o o > - bisho () onirica com \ L / - bisho () eurielec etsit upm es -oOOo-------oOOo- Onírica: Análisis, diseño e implantación de soluciones informáticas http://www.onirica.com
Current thread:
- Posible privacy problem in Explorer. Guille (Bisho) (Sep 08)
- Re: Posible privacy problem in Explorer. Elias Levy (Sep 08)
- Re: Posible privacy problem in Explorer. Kevin van der Raad (Sep 12)
- <Possible follow-ups>
- Re: Posible privacy problem in Explorer. http-equiv () excite com (Sep 12)
- Re: Posible privacy problem in Explorer. CDE Francis (Sep 12)
- Re: Posible privacy problem in Explorer. Sander Goudswaard (Sep 13)
- Re: Posible privacy problem in Explorer. Elias Levy (Sep 08)