funsec mailing list archives

Re: Firefox' privacy mode not so private

From: "David Lodge" <dave () cirt net>
Date: Tue, 15 Sep 2009 17:14:16 +0100

On Tue, 15 Sep 2009 00:40:10 +0100, Imri Goldberg <lorgandon () gmail com>  
wrote:

It seems this was some kind of a 'known secret', but firefox' privacy  
mode
isn't private. Apparently, websites[1] can use flash to store
'Local-Shared-Objects' (LSOs, see
http://en.wikipedia.org/wiki/Local_Shared_Object ), which are basically
cookies. Firefox' regular capabilities of 'clear all private data' and
'privacy mode', which supposedly don't leave any record of your browsing
history, don't erase these files.


It's not really a surprise, and I doubt any browser clears these away as  
flash stores them in it's area.

I've been unrelated research on LSOs recently and hacked up a quick and  
dirty reader for .sol file. I thought I'd see what information they  
contain. Most are like marketing cookies and just contains a UID  
number[1], though some ones may leak information. For example, BBC iPlayer  
stores the position that you stop a program in in the middle. For example,  
I nipped over to iPlayer and started the last episode of Mock the Week,  
then paused it; the LSO contained:
[dave@yggdrasil flashsol]$ ./readsol autoResume.sol
Shared Object name: autoResume
Version: AMF0
items: Array: [
Key 0: Array: [
Key totalTime: Number: 1800.064000
Key prevPos: Number: 265.000000
Key id: String: b00mpq4p
]
]

Not too exciting, until we look at the id items[0][id] key and see that  
this maps to the URL of the program:
http://www.bbc.co.uk/iplayer/episode/b00mpq6y/Mock_the_Week_Series_7_Episode_10/

Showing that we could use the LSOs to see what programs have been watched  
through iPlayer.

[1] I think we should set up some sort of cookie/LSO bank: everybody puts  
on a marketing cookie with the same UID, mess up the marketing figures  
summat rotten :-)

dave

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Firefox' privacy mode not so private Imri Goldberg (Sep 14)
- Re: Firefox' privacy mode not so private Paul Ferguson (Sep 14)
- Re: Firefox' privacy mode not so private Reed Loden (Sep 14)
  - Re: Firefox' privacy mode not so private Valdis . Kletnieks (Sep 15)
- Re: Firefox' privacy mode not so private Toralv_Dirro (Sep 15)
  - Re: Firefox' privacy mode not so private Imri Goldberg (Sep 15)
    - Re: Firefox' privacy mode not so private Toralv_Dirro (Sep 15)
    - Re: Firefox' privacy mode not so private der Mouse (Sep 15)
- Re: Firefox' privacy mode not so private David Lodge (Sep 15)
  - Re: Firefox' privacy mode not so private Nick FitzGerald (Sep 15)
    - Re: Firefox' privacy mode not so private Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 15)