Opened 2 months ago

Last modified 2 months ago

#29887 new defect

Potential user activity data leak

Reported by: pf.team Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The user preferences file at ./Browser/TorBrowser/Data/Browser/profile.default/prefs.js contains data that can be used to tie anonymous activity via Tor in a certain time period to a particular user. This information may serve as additional evidence and help repressive regimes to identify activists and whistleblowers.

The most sensitive data is contained in the following parameters:

  • toolkit.startup.last_success - time of last successful browser startup.
  • browser.laterrun.bookkeeping.profileCreationTime - profile creation time, i.e. when this browser was started for the first time.

All other parameters listed below are regularly updated during the browser's run. Given their quantity, they may serve as a pretty reliable indication of when this particular user was online.

  • app.update.lastUpdateTime.addon-background-update-timer
  • app.update.lastUpdateTime.background-update-timer
  • app.update.lastUpdateTime.blocklist-background-update-timer
  • app.update.lastUpdateTime.browser-cleanup-thumbnails
  • app.update.lastUpdateTime.experiments-update-timer
  • app.update.lastUpdateTime.search-engine-update-timer
  • app.update.lastUpdateTime.xpi-signature-verification
  • extensions.blocklist.lastModified
  • extensions.torbutton.lastUpdateCheck
  • idle.lastDailyNotification
  • media.gmp-manager.lastCheck
  • places.database.lastMaintenance
  • storage.vacuum.last.places.sqlite
  • app.update.lastUpdateTime.xpi-signature-verification

If there are any other such parameters, they may pose a security risk as well.

As a possible solution, we propose that these parameters should not be updated at all, and the browser should treat every time it is run as the first.

Child Tickets

Change History (4)

comment:1 Changed 2 months ago by gk

Keywords: tbb-disk-leak added; prefs.js TorBrowser removed
Priority: HighMedium
Severity: MajorNormal

Yes, but I am not sure whether that's a thing we can properly fix on our end given that the threat model behind this bug is one where the local machine gets/is compromised/inspected by the attacker. I am inclined to just point to Tails for that scenario and close the ticket as WONTFIX.

Last edited 2 months ago by gk (previous) (diff)

comment:2 Changed 2 months ago by pf.team

This threat model is not that unlikely, especially in countries where Tor is needed the most.
Tails, however, requires more skill to use on one hand, and arouses more suspicion from repressive authorities on the other. More so than just finding Tor Browser installed on the local machine, as TB is much more often used for mundane purposes, such as access to content that is blocked in one's country for political or copyright-related reasons. Tails, however, immediately incriminates the person in question as someone with something to hide, something serious enough to require a whole operating system centered around anonymity. This in turn makes it more probable that the person in question will be, for example, tortured for information on his or her activities, or simply put under closer surveillance.

As a quick fix these parameters may be overwritten by some default values each time the browser exits.

We also found another one of these:

  • browser.laterrun.bookkeeping.sessionCount - counts how many times this browser has been run

comment:3 Changed 2 months ago by cypherpunks

I would argue hiding the browser's last run time wouldn't be very successful and both the profile creation time or last run time may be easily gathered from the browser's file/folder creation/modification timestamps.

But at least resetting the value of browser.laterrun.bookkeeping.sessionCount seems to be a good idea.

@pf.team bookmarkbackups folder can contain up to 15 backups from different dates with timestamps that will show exactly when the browser was used. You may consider regularly cleaning that or disabling the bookmark backups altogether.

comment:4 Changed 2 months ago by pf.team

@cypherpunks
Yes, bookmarkbackups would also be one of these things than need cleaning up. Thanks for the info, we haven't gotten around to them yet.

You are technically right about file creation/modification ts'es, however, there is more to consider in this case:

1) File timestamps are circumstantial evidence for something that is itself circumstantial evidence, and gathering it requires slightly higher qualifications from adversaries. After all, file timestamps may change for a whole number of reasons, whereas with prefs.js they have all this data conveniently in one place and labeled.

2) Obviously, there is no such thing as 100% safety, anonymity or security, but at the same time, the adversary is also not some flawless leviathan with 100% clarity and competence. For example, employees of repressive institutions in authoritarian countries often lack both the tech know-how required to conduct a more thorough investigation, and the motivation to do so. Every extra step they have to take increases the probability that they might give up here and look elsewhere.

Last edited 2 months ago by pf.team (previous) (diff)
Note: See TracTickets for help on using tickets.