[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak

To: undisclosed-recipients: ;
Subject: [tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 25 Mar 2019 08:01:03 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 25 Mar 2019 04:02:03 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#29887: Potential user activity data leak
--------------------------------+------------------------------------------
 Reporter:  pf.team             |          Owner:  tbb-team
     Type:  defect              |         Status:  new
 Priority:  High                |      Component:  Applications/Tor Browser
  Version:                      |       Severity:  Major
 Keywords:  prefs.js            |  Actual Points:
  TorBrowser                    |
Parent ID:                      |         Points:
 Reviewer:                      |        Sponsor:
--------------------------------+------------------------------------------
 The user preferences file at
 ./Browser/TorBrowser/Data/Browser/profile.default/prefs.js contains data
 that can be used to tie anonymous activity via Tor in a certain time
 period to a particular user. This information may serve as additional
 evidence and help repressive regimes to identify activists and
 whistleblowers.

 The most sensitive data is contained in the following parameters:
 * toolkit.startup.last_success - time of last successful browser startup.
 * browser.laterrun.bookkeeping.profileCreationTime - profile creation
 time, i.e. when this browser was started for the first time.

 All other parameters listed below are regularly updated during the
 browser's run. Given their quantity, they may serve as a pretty reliable
 indication of when this particular user was online.

 * app.update.lastUpdateTime.addon-background-update-timer
 * app.update.lastUpdateTime.background-update-timer
 * app.update.lastUpdateTime.blocklist-background-update-timer
 * app.update.lastUpdateTime.browser-cleanup-thumbnails
 * app.update.lastUpdateTime.experiments-update-timer
 * app.update.lastUpdateTime.search-engine-update-timer
 * app.update.lastUpdateTime.xpi-signature-verification
 * extensions.blocklist.lastModified
 * extensions.torbutton.lastUpdateCheck
 * idle.lastDailyNotification
 * media.gmp-manager.lastCheck
 * places.database.lastMaintenance
 * storage.vacuum.last.places.sqlite
 * app.update.lastUpdateTime.xpi-signature-verification

 If there are any other such parameters, they may pose a security risk as
 well.

 As a possible solution, we propose that these parameters should not be
 updated at all, and the browser should treat every time it is run as the
 first.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29887>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #29388 [Internal Services/Tor Sysadmin Team]: Find out requirements for running Prometheus
Next by Author: Re: [tor-bugs] #29737 [Core Tor/Tor]: Assign package proposal a number, change its filename, and merge it to torspec
Previous by thread: [tor-bugs] #29886 [Applications/Tor Browser]: NoScript icon is still visible in context menu after the fix for #25658 landed
Next by thread: Re: [tor-bugs] #29887 [Applications/Tor Browser]: Potential user activity data leak
Index(es):
- Author
- Thread