Security: OS records urls of downloads in incognito mode
Reported by
modi.kon...@gmail.com,
Feb 20 2018
|
|||||||
Issue descriptionVULNERABILITY DETAILS Please provide a brief explanation of the security issue. Mac seems to maintain a list of every file downloaded by the user from any application like Chrome, Skype, curl etc. in the sqlite database: ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* What is surprising is, it also maintains the files downloaded / saved in incognito mode. 1. This list is never cleared irrespective of any action taken on Chrome browser like: a. Clean history, b. Clean download list. c. Profile deletion. d. App uninstall. 2. The table consists of few columns, but two in general could be a privacy issue. a. LSQuarantineDataURLString: URL for downloading. b. LSQuarantineOriginURLString : Looks like referrer. Expected behaviour is no activity done is incognito window should be written and persisted to disk. Once it's on disk, it's out of control and will never really go away again. VERSION Chrome Version: Version 64.0.3282.167 (Official Build) (64-bit) Operating System: macOS Sierra : 10.12.6 REPRODUCTION CASE 1. Check for entries in ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* If you prefer terminal: sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'. 2. Now open incognito mode and download a file. 3. Check the table again, the entry exists. 4. Clear download history, restart browser, the entry still exists in the table.
,
Feb 20 2018
I was curious to see what happens with other browsers, so I tested a few: 1. Firefox 59+ does not save the files downloaded in private mode in the database. 2. Safari also does not save the files downloaded in private mode in the database. 3. Tor browser does not save the files downloaded in private mode in the database.
,
Feb 20 2018
On Windows 10 1709, Firefox isn't using the IAttachmentExecute API to write the Zone.Identifier, so it doesn't record the origin URL. Interestingly, however, Edge behavior changes in its InPrivate mode. When a download takes place in regular mode, the HostUrl value is set and leaks the original download URL. When the same download takes place in InPrivate mode, the HostUrl value is omitted from the Zone.Identifier file. It might be interesting to see whether Safari does anything special here like Edge does.
,
Feb 22 2018
+qinmin@ to see what Safari does. I'm tempted to mark as Won'tFix because downloads inherently leave some state behind on disk even in incognito mode, which is expected behavior. elawrence@ what's the security benefit to adding HostUrl? Would there be any downside to omitting it?
,
Feb 22 2018
Really add +qinmin :)
,
Feb 22 2018
RE #4: I assume the idea Microsoft had when writing the HostUrl to the file is that it enables later dynamic checks of the reputation of a site. Consider, e.g. the user downloads an executable from https://newdodgysite.com. Windows SmartScreen doesn't know this is a dodgy site and will allow the user to execute the file immediately. However, the next day, Windows catches up and starts blocking that site as malicious. By recording the HostUrl in the MotW, Windows can apply that later knowledge to a prior download. I allude to this in https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/ (It's probably also useful for threat-intelligence and other purposes.)
,
Mar 1 2018
It sounds like this is working as intended and is probably what we want from a security standpoint (although from privacy I see the downside)? Will wait for qinmin@ to confirm what Safari does.
,
Mar 1 2018
,
Apr 16 2018
,
Apr 20 2018
,
Apr 24 2018
+dtrainor@ From privacy standpoint, this is a leak as there would be a trace of what user has done in incognito after the incognito window is closed. I think as the regular mode is already fully considering security, when user goes to incognito, it can be considered as more leaning towards privacy, and we should respect it if we can, or state it clearly to the user. Is there any plan for it now?
,
Apr 24 2018
Both firefox and safari don't report the URL/referrer in quanrantine db when in private mode, but do report them in normal mode. I think I can fix this by annotating the file with empty URL.
,
Apr 24 2018
or simply skip the file annotation in incognito mode
,
Apr 24 2018
For Windows, it's important to annotate the download with a web-based URL in order to ensure that the platform security features (AV, SmartScreen) recognize that the file is untrusted content from the Internet. If omitting the URL is desireable for Windows, use "about:internet" as the URL. https://cs.chromium.org/chromium/src/components/download/quarantine/quarantine_win.cc?l=231&rcl=fe4e0d4b82813da20a8be333719f22c7c6c1c9ca
,
Apr 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/63034d6e4ccf75bd6cafaf735ded740af6579644 commit 63034d6e4ccf75bd6cafaf735ded740af6579644 Author: Min Qin <qinmin@chromium.org> Date: Wed Apr 25 21:45:01 2018 Use Empty URL for download annotation in Incognito mode Chrome annotates downloads with the source URL to allow platform security features to treat downloads with appropriate suspicion. If the download was conducted in off-the-record mode, we should not annotate the download with the real URL to avoid a privacy leak. On Windows, using an empty URL results in marking the download as originating from "about:internet", a generic Internet-zone URL. BUG= 813764 Change-Id: I1dfe652051d43a0c4f3ee2742882b1affa946c57 Reviewed-on: https://chromium-review.googlesource.com/1026455 Reviewed-by: Ramin Halavati <rhalavati@chromium.org> Reviewed-by: David Trainor <dtrainor@chromium.org> Reviewed-by: Eric Lawrence <elawrence@chromium.org> Commit-Queue: Min Qin <qinmin@chromium.org> Cr-Commit-Position: refs/heads/master@{#553764} [modify] https://crrev.com/63034d6e4ccf75bd6cafaf735ded740af6579644/components/download/internal/common/download_item_impl.cc [modify] https://crrev.com/63034d6e4ccf75bd6cafaf735ded740af6579644/components/download/internal/common/download_item_impl_unittest.cc [modify] https://crrev.com/63034d6e4ccf75bd6cafaf735ded740af6579644/components/download/quarantine/quarantine.h [modify] https://crrev.com/63034d6e4ccf75bd6cafaf735ded740af6579644/components/download/quarantine/quarantine_win.cc
,
Apr 26 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by elawrence@chromium.org
, Feb 20 2018Components: UI>Browser>Incognito UI>Browser>Downloads Privacy
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam OS-Linux OS-Mac OS-Windows Type-Bug
Status: Untriaged (was: Unconfirmed)
Summary: Security: OS records urls of downloads in incognito mode (was: Security: Leaking urls used for downloads in incognito mode on disk.)