Opened 5 years ago

Last modified 2 years ago

#9220 reopened defect

Tor Browser accesses LSOs

Reported by: cypherpunks Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-torbutton, tbb-newnym
Cc: retor@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This may have been an isolated incidence, and I have not experienced it since July 3, but Colin C. at Tor help has suggested that I submit a ticket for this security breach.

I have the latest full release Tor Browser Bundle installed for my Mac (2.3.25-10). After 'verifying' on July 3 that Tor was in use via https://check.torproject.org, I linked to the following, which raised alarm bells for me:
http://www.organicconsumers.org/ocaactions.cfm?actionnum=11436

Within Tor, the link opened a page with my e-mail address already in place for an action alert message that I was intending to send (but never did).

My immediate response was to right-click the page and go to View Page info > Security > View Cookies > Remove All Cookies within Tor Browser/Firefox ESR 17.0.7. The problem of the embedded email address persisted on my next attempt to access the link within Tor despite having removed cookies this way and initiating a new identity via Vidalia.

Later the same day, I discovered that LSOs had appeared out of nowhere on my computer sometime relatively recently, indeed just before the Tor use attempt I have described, above. (I check for LSOs daily.) Record of these LSOs was accessible via my Safari browser, showing up as such things as "Apple local storage" and "Local storage on your computer" (as well as a few others, including, I believe, salsalabs.com, which would have been generated within Safari via my linking to http://salsa3.salsalabs.com/dia/track.jsp + identifying code). And it was via my Safari browser that I was able to delete all the LSOs.

After I deleted all the LSOs and repeated the link via Tor (with new identity and after deleting Firefox cookies, of course), the embedded email info. was blessedly absent.

My burning question is, why would Tor be accessing LSOs?

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by nickm_mobile

Component: TorTorBrowserButton
Owner: set to mikeperry
Status: newassigned

comment:2 Changed 4 years ago by erinn

Component: TorBrowserButtonTor Browser
Keywords: tbb-torbutton added

comment:3 Changed 2 years ago by bugzilla

Keywords: tbb-linkability added
Milestone: TorBrowserBundle 2.3.x-stable
Owner: changed from mikeperry to tbb-team
Severity: Normal
Summary: Tor accessing LSOsTor Browser accesses LSOs
Version: Tor: 0.2.3.25

comment:4 Changed 2 years ago by bugzilla

Resolution: fixed
Status: assignedclosed

It's an intended behavior of FF. To prevent this TBB uses PBM now.

comment:5 Changed 2 years ago by gk

Resolution: fixed
Status: closedreopened

I don't think that LSOs are bound to private browsing mode.

comment:6 Changed 2 years ago by gk

Oh, it might even be adhering to it, depending on what is faster, Flash or PBM:

Upon creation, a Flash Player instance initializes to the current browsing mode of the browser. If the browser is in private browsing mode when the Flash Player instance is created, then that particular instance will forever be in private browsing mode. Likewise, if the browser is in normal browsing mode when the Flash Player instance is created, then that particular instance will forever be in normal browsing mode (private browsing is turned off).

https://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10_1.html

comment:7 Changed 2 years ago by bugzilla

Keywords: tbb-newnym added; tbb-linkability removed

The ticket is about tbb-newnym according to the description. And it got fixed exactly by what you've written.

Yes, Adobe paper is quite confusing: either FF creates a new Flash Player instance for PBM or it's an epic fail. But nevertheless, this ticket is about clearing LSOs on New Identity and FF does it.

Last edited 2 years ago by bugzilla (previous) (diff)
Note: See TracTickets for help on using tickets.