Opened 2 months ago

Last modified 7 weeks ago

#29957 needs_information defect

clicking on "click to play" media leaks URLs via NoScript on-disk preferences

Reported by: catalyst Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-disk-leak, tbb-newnym, noscript
Cc: m1 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A user in #tor reports that clicking on "click to play" media leaks sensitive information by causing NoScript to save the URL to disk. It's not clear whether this is an instance of #29646. It also seems that these URLs persist for search bar completion briefly beyond "New Identity", but not beyond a browser restart.

partial IRC logs below:

29T22:27 <XXXXX> i'd like to report a bug in noscript in tor browser
29T22:28 <XXXXX> when media is "click to play" and i click it, the browser 
                     SAVES IT in HISTORY
29T22:28 <XXXXX> even though it is tor browser, when i start up the browser 
                     days later i find that noscript has saved that site url to 
                     the hard drive... tor browser is not supposed to keep 
                     history
29T22:29 <XXXXX> it was visible in "per-site permissions" in the noscript 
                     settings
29T22:30 <XXXXX> it includes ILLEGAL (lgbt resources) in my country, that i 
                     do not want anyone to see, but it was still being saved by 
                     tor browser
29T22:31 <XXXXX> i did not do anything "unusual" like changing settings or 
                     tweaking. i only had security slider MEDIUM and when click 
                     to play media appeared i clicked it
29T22:32 <XXXXX> i cleared the history and bleachbit wiped the computer but 
                     i'm scared
...
29T22:39 <catalyst> XXXXX: that does sound scary in your situation. and it 
                    does sound like a bug. what OS and Tor Browser version?
29T22:40 <XXXXX> catalyst: windows 7 tor browser 8.0.8
...
29T22:45 <catalyst> XXXXX: thanks. i'm asking around
29T22:46 <XXXXX> ok!
29T22:46 <XXXXX> what do i need to do to erase it? i pressed "reset 
                     settings" in noscript and i think that worked and i ran 
                     bleachbit too
29T22:47 <catalyst> XXXXX: that depends on how thoroughly you need to erase 
                    it, unfortunately
29T22:48 <XXXXX> i dont want family or authorities to see it
...
29T22:48 <XXXXX> ok and doing that with bleachbit "erase free space" helps?
...
29T22:50 <XXXXX> it erases free space because deleting files is recoverable
29T22:51 <catalyst> XXXXX: that sounds like it should help. i'm not 
                    personally familiar with bleachbit so i can't say whether 
                    or not it will be effective in this case
29T22:51 <XXXXX> ok
29T22:52 <catalyst> operating systems like Tails provide additional isolation 
                    (i believe Tails won't ever write to a disk unless you 
                    explicitly ask it to)
29T22:57 <catalyst> XXXXX: may i paste your report into a public bug 
                    report? (redacting your IRC nickname)
29T22:57 <XXXXX> catalyst: yes ok
29T22:57 <catalyst> XXXXX: thanks
29T22:58 <XXXXX> catalyst: when i clicked "reset" on the noscript settings 
                     it broke some things i think the "default settings" are 
                     not the same ones tor uses so resetting to default breaks 
                     some things. a check mark is now checked called "override 
                     tor browser security preset" and even on MEDIUM slider 
                     settings it makes javascript disabled
29T22:58 <XXXXX> so also the reset option breaks things too!
29T23:03 <catalyst> XXXXX: that sounds unfortunate, but not too surprising. 
                    Tor Browser can't always handle unusual user interactions 
                    with the components it depends on. we can only try to fix 
                    stuff like this as we learn about it
29T23:03 <XXXXX> ok
29T23:03 <XXXXX> i'll delete and insteall the browser again
...
29T23:12 <XXXXX> catalyst: one other scary thing that might be related. 
                     when i visit sites after i press "new identity" that 
                     restarts the browser. when the new browser opens then i 
                     type something into the search bar at the top and 
                     sometimes it suggests the sites i was just viewing BUT for 
                     a split second then they vanish!
29T23:13 <XXXXX> i only noticed it when pressing "new identity" but not if 
                     i close the browser then open it myself instead. but after 
                     the suggested sites vanish they don't appear again and 
                     that is weird
29T23:15 <@arma> XXXXX: i would believe this -- new identity does a pile of 
                 things, and it does them in some order. it should probably 
                 change its order so you don't get confused into thinking it is 
                 done until it really is done.
29T23:15 <catalyst> XXXXX: that does seem scary. the behavior difference 
                    between "new identity" and restarting the browser is 
                    helpful to know, though. i'll add it to the bug report

Child Tickets

Change History (5)

comment:1 Changed 8 weeks ago by gk

Keywords: tbb-newnym added; newnym removed
Status: newneeds_information

I tried to reproduce both issues but failed with a clean Tor Browser 8.0.8 on Windows 7. So, I wonder what goes wrong on the user's computer. Maybe some extra tools installed are interfering?

comment:2 in reply to:  1 Changed 7 weeks ago by cypherpunks

Replying to gk:

I tried to reproduce both issues but failed with a clean Tor Browser 8.0.8 on Windows 7. So, I wonder what goes wrong on the user's computer. Maybe some extra tools installed are interfering?

I just tried this on my own Windows 7 computer with browser 8.0.8 and it *does* persist for me. I went to Wikipedia with the slider set to "Safer" and viewed some videos that were click-to-play. After restarting Tor Browser and checking the NoScript settings "per-site permissions", the whitelisted URLs are being shown like this one:

https://upload.wikimedia.org/wikipedia/commons/transcoded/0/0a/Comparing_CMEs.ogv/Comparing_CMEs.ogv.480p.vp9.webm

I restarted Tor Browser with New Identity, and I closed and re-opened it, and I rebooted my computer, so I can *confirm* that this is an issue!

comment:3 Changed 7 weeks ago by cypherpunks

In the file called storage-sync.sqlite (in profile.default) I have this text copied from Notepad (example and not everything in the .sqlite file, just the relevant part):

["fetch","font","frame","object","other","script","webgl","media"],"temp":false},"https://upload.wikimedia.org/wikipedia/commons/transcoded/0/0a/Comparing_CMEs.ogv/Comparing_CMEs.ogv.480p.vp9.webm":{"capabilities":["fetch","font","frame","object","other","script","webgl","media"],"temp":false}}},"enforced":true,"autoAllowTop":false},"_status":"created"}‚';i
ƒedefault/{73a6fe31-595d-460b-a920-fcc0f8843232}key-sync{"id":"key-sync","key":"sync","data":{"global":false,"xss":true,"cascadeRestrictions":true,"xssScanRequestBody":false,"xssBlockUnscannedPOST":true,"overrideTorBrowserPolicy":false,"clearclick":true,"storage":"sync"},"_status":"created"}

comment:4 Changed 7 weeks ago by cypherpunks

Here is *exactly* what I did to confirm it:

  1. Deleted Tor Browser directory
  1. Installed fresh Tor Browser 8.0.8
  1. Changed security slider to "Safer"
  1. Navigated to https://upload.wikimedia.org/wikipedia/commons/transcoded/2/22/Volcano_Lava_Sample.webm/Volcano_Lava_Sample.webm.360p.vp9.webm
  1. Clicked to play
  1. Looked at NoScript settings page and confirmed it was whitelisted
  1. Restarted browser

Before step 5, I looked at the sqlite in an online sqlite viewer and it said the collection_name was default/{73a6fe31-595d-460b-a920-fcc0f8843232}, the record_id was key-policy, and the record was this:

{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame","font"],"temp":false},"sites":{"trusted":[],"untrusted":["http:"],"custom":{}},"enforced":true,"autoAllowTop":false},"_status":"created"}

After step 7 I looked at the same record, and now it was this:

{"id":"key-policy","key":"policy","data":{"DEFAULT":{"capabilities":["fetch","font","frame","object","other","script","webgl"],"temp":false},"TRUSTED":{"capabilities":["fetch","font","frame","media","object","other","script","webgl"],"temp":false},"UNTRUSTED":{"capabilities":["frame","font"],"temp":false},"sites":{"trusted":[],"untrusted":["http:"],"custom":{"https://upload.wikimedia.org/wikipedia/commons/transcoded/2/22/Volcano_Lava_Sample.webm/Volcano_Lava_Sample.webm.360p.vp9.webm":{"capabilities":["fetch","font","frame","object","other","script","webgl","media"],"temp":false}}},"enforced":true,"autoAllowTop":false},"_status":"created"}

That sqlite file is stored on the disk.

comment:5 Changed 7 weeks ago by gk

Cc: m1 added
Keywords: noscript added

Okay, thanks for those steps that helped me a lot. Giorgio: given that this violates assumptions about Private Browsing Mode (PBM) usage (There should not be leaked any information about web browsing to disk in that mode let alone possibly problematic URLs) is there a way for NoScript to actually adhere to the PBM rules the user/Tor Browser has intentionally enabled? Like saving the exceptions in memory and only there if in PBM? It seems to me there is no reason to save them to disk in that case.

Note: See TracTickets for help on using tickets.