Opened 4 years ago

Last modified 3 years ago

#8988 new defect

Spotlight and mds may have indexed the Tor Browser Bundle

Reported by: runa Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-disk-leak, needs-triage
Cc: runa Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A forensic analysis of the Tor Browser Bundle (version 2.3.25-6, 64-bit) on OS X 10.8 showed that Spotlight and mds may have indexed the Tor Browser Bundle.

Spotlight, and the Metadata Server (mds), indexes all items and files on a system and allows the user to perform system-wide searches for all sorts of items; documents, pictures, applications, system preferences, etc.

I have not been able to open the files in /.Spotlight-V100 and /var/db/mds/messages/, but I would say it is likely that Spotlight and mds picked up the Tor Browser Bundle and the attached external drive at some point.

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by runa

While it is possible to completely disable Spotlight and mds, and same with Windows Search, it may not be something we want to recommend to our users. Thoughts?

comment:2 Changed 3 years ago by erinn

  • Keywords needs-triage added

comment:3 Changed 3 years ago by erinn

  • Component changed from Tor bundles/installation to Tor Browser
  • Owner changed from erinn to tbb-team

comment:4 Changed 3 years ago by teor

In order to prevent indexing of the TorBrowser dmg and app, we can add an empty file ".metadata_never_index" to the TorBrowser.app directory, and the root directory of the downloaded dmg file.

See https://apple.stackexchange.com/questions/87090/how-to-add-folder-to-spotlight-do-not-index

However, Spotlight will also index other items, including but not limited to:

  • External Drives
  • Downloaded Disk Image Files (we may be able to append ".noindex" to the ".dmg" file extension to fix this, but this could cause file type recognition issues)

Can someone in the TBB team change the scripts to create the relevant ".metadata_never_index" files to the root of the disk image and TorBrowser.app directories?

Alternatives

For completeness, and/or cleanup of previous traces.

Exclusion Paths

Spotlight has exclusion paths that can be set to prevent indexing of and delete indexes on certain folders. Unfortunately, we'd then have to worry about the exclusion path itself giving away Tor Browser.

  # Apparently, this doesn't change the UI in System Preferences
  # It may also not work at all
  sudo defaults write /.Spotlight-V100/Store-V1/Exclusions Exclusions -array-add <path>

Deactivate Indexing

A trace prevention approach is to turn indexing off before installing TBB, and turn in back on afterwards.

  sudo mdutil -i off /
  sudo mdutil -i off -a
  # Download, Use, and Remove Tor Browser
  sudo mdutil -i on /
  sudo mdutil -i on -a

Reindex File Types After Removal

Or, a more surgical trace removal approach is to re-index all files of the relevant types after using Tor Browser:

  # Use and Remove Tor Browser
  # Get the list of installed mdimport plugins
  sudo mdimport -L
  # Re-index at least these plugins
  sudo mdimport -r /System/Library/Spotlight/Application.mdimporter
  # If Tor Browser came on a disk image or archive file
  sudo mdimport -r /System/Library/Spotlight/Archives.mdimporter
  # If Tor Browser was downloaded in another browser
  sudo mdimport -r /System/Library/Spotlight/Bookmarks.mdimporter
  # If images within TorBrowser's "opaque" app directory have been indexed
  sudo mdimport -r /System/Library/Spotlight/Image.mdimporter

Delete Indexes After Removal

A more extreme, but also more secure trace removal approach is to erase the Spotlight indexes on the relevant volume(s) (or, alternately, all volumes) after removing Tor Browser. The indexes will then be rebuilt.

  # Use and Remove Tor Browser
  sudo mdutil -E /
  sudo mdutil -E -a
Note: See TracTickets for help on using tickets.