Chromium: Secretly stores referer and url for downloaded files (2017)
source link: https://www.tuicool.com/articles/hit/niMzuij
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Debian Bug report logs -#883746
chromium: secretly stores referer and url for downloaded files
Package:chromium; Maintainer forchromium is Debian Chromium Team <[email protected]> ; Source forchromium issrc:chromium ( PTS , buildd ,popcon).
Reported by: Adam Borowski <[email protected]>
Date: Thu, 7 Dec 2017 05:45:02 UTC
Severity: important
Found in version chromium-browser/62.0.3202.89-1
Forwarded to http://crbug.com/733943
Reply orsubscribe to this bug.
Toggle useless messages
View this report as anmbox folder, status mbox , maintainer mbox
Report forwardedto [email protected], Debian Chromium Maintainers <[email protected]>
:
Bug#883746
; Package chromium
. (Thu, 07 Dec 2017 05:45:04 GMT) (full text, mbox ,).
Acknowledgement sentto Adam Borowski <[email protected]>
:
New Bug report received and forwarded. Copy sent to Debian Chromium Maintainers <[email protected]>
. (Thu, 07 Dec 2017 05:45:05 GMT) (full text, mbox ,).
received at [email protected] (full text, mbox , reply ):
From: Adam Borowski <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: chromium: secretly stores referer and url for downloaded files
Date: Thu, 07 Dec 2017 06:40:23 +0100
Package: chromium Version: 62.0.3202.89-1 Severity: important Hi! If you download and save a file with Chromium (even in incognito mode), it saves potentially sensitive metadata in a way that's completely unknown to almost all users, even highly technical ones: user.xdg.referrer.url: <a href="https://angband.pl/tmp/">https://angband.pl/tmp/</a> user.xdg.origin.url: <a href="https://angband.pl/tmp/20130210_001.jpg">https://angband.pl/tmp/20130210_001.jpg</a> This photo is embarassing, but not overwhelmingly so. It also, on its own, appears to include no way to tie to me in particular. There's EXIF but, coming from a sane camera, it has no GPS data or whatever. Yet, once the URL is smuggled, the link to me is obvious, and it's easy to distort the image's story into something that could get someone fired or otherwise publicly shamed (based on typical kitten behaviour). And it can get worse: imagine (werewolf protection) a kiddie porn image, or a secret government file ("Hillary and Donald, sitting in a tree, K.I.S.S.I.N.G.jpg"). In this case, referer is uninteresting, but it can be as bad or worse than the URL itself. This is a concern when the file is copied to any xattr-preserving media, such as an USB stick or a CIFS mount -- or, if your computer itself is imaged/accessed. Meow! -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (150, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-rc2-debug-00195-g50510b7395bf (SMP w/5 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages chromium depends on: ii chromium-common 62.0.3202.89-1 ii libasound2 1.1.3-5 ii libatk1.0-0 2.26.1-1 ii libavcodec57 7:3.4-4 ii libavformat57 7:3.4-4 ii libavutil55 7:3.4-4 ii libc6 2.25-3 ii libcairo2 1.15.8-2 ii libcups2 2.2.6-2 ii libdbus-1-3 1.12.2-1.0nosystemd1 ii libevent-2.1-6 2.1.8-stable-4 ii libexpat1 2.2.3-2 ii libflac8 1.3.2-1 ii libfontconfig1 2.12.6-0.1 ii libfreetype6 2.8.1-0.1 ii libgcc1 1:7.2.0-17 ii libgdk-pixbuf2.0-0 2.36.11-1 ii libglib2.0-0 2.54.2-1 ii libgtk2.0-0 2.24.31-4 ii libharfbuzz0b 1.7.1-1 ii libicu57 57.1-8 ii libjpeg62-turbo 1:1.5.2-2+b1 ii liblcms2-2 2.8-4 ii libminizip1 1.1-8+b1 ii libnspr4 2:4.16-1+b1 ii libnss3 2:3.34-1 ii libopus0 1.2.1-1 ii libpango-1.0-0 1.40.13-2 ii libpangocairo-1.0-0 1.40.13-2 ii libpng16-16 1.6.34-1 ii libpulse0 11.1-3.0nosystemd1 ii libre2-3 20170101+dfsg-1 ii libsnappy1v5 1.1.7-1 ii libstdc++6 7.2.0-17 ii libvpx4 1.6.1-3 ii libwebp6 0.6.0-4 ii libwebpdemux2 0.6.0-4 ii libwebpmux3 0.6.0-4 ii libx11-6 2:1.6.4-3 ii libx11-xcb1 2:1.6.4-3 ii libxcb1 1.12-1 ii libxcomposite1 1:0.4.4-2 ii libxcursor1 1:1.1.14-3 ii libxdamage1 1:1.1.4-3 ii libxext6 2:1.3.3-1+b2 ii libxfixes3 1:5.0.3-1 ii libxi6 2:1.7.9-1 ii libxml2 2.9.4+dfsg1-5.1 ii libxrandr2 2:1.5.1-1 ii libxrender1 1:0.9.10-1 ii libxslt1.1 1.1.29-5 ii libxss1 1:1.2.2-1+b2 ii libxtst6 2:1.2.3-1 ii zlib1g 1:1.2.8.dfsg-5 Versions of packages chromium recommends: ii fonts-liberation 1:1.07.4-5 Versions of packages chromium suggests: pn chromium-driver <none> pn chromium-l10n <none> pn chromium-shell <none> pn chromium-widevine <none> -- no debconf information
Information forwardedto [email protected], Debian Chromium Maintainers <[email protected]>
:
Bug#883746
; Package chromium
. (Sat, 09 Dec 2017 02:03:03 GMT) (full text, mbox ,).
Acknowledgement sentto Adam Borowski <[email protected]>
:
Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <[email protected]>
. (Sat, 09 Dec 2017 02:03:04 GMT) (full text, mbox ,).
received at [email protected] (full text, mbox , reply ):
From: Adam Borowski <[email protected]>
Subject: chromium on Windows
Date: Sat, 9 Dec 2017 03:00:19 +0100
For comparison, Chromium on Windows doesn't have this privacy hole: ꜰɪʟᴇ: user.Zone.Identifier: [ZoneTransfer] ZoneId=3 (Ie, it saves merely whether the file came from this computer, local network, or the Interwebs at large.) I assume Chromium on Android does, which is a lot worse than regular computers, as phones get seized/imaged/stolen drastically more often. Meow! -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable And Non-Discriminatory prices.
Set Bug forwarded-to-address to ' http://crbug.com/733943 '. Request was from Michael Gilbert <[email protected]>
to [email protected]
. (Sun, 11 Feb 2018 03:39:02 GMT) (full text, mbox ,).
Information forwardedto [email protected], Debian Chromium Team <[email protected]>
:
Bug#883746
; Package chromium
. (Mon, 17 Sep 2018 13:51:11 GMT) (full text, mbox ,).
Acknowledgement sentto Ken Yap <[email protected]>
:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <[email protected]>
. (Mon, 17 Sep 2018 13:51:11 GMT) (full text, mbox ,).
received at [email protected] (full text, mbox , reply ):
From: Ken Yap <[email protected]>
To: "[email protected]" <[email protected]>
Subject: chromium: secretly stores referer and url for downloaded files
Date: Mon, 17 Sep 2018 13:49:23 +0000
This is tangentially related but I found that GNU wget (1.19.5 on my system) also stores this information, and there is no way to turn it off; it's not mentioned in the documentation. I wonder what the FSF's take is on this.
Send a report that this bug log contains spam .
Debian bug tracking system administrator < [email protected] >. Last modified:Thu Mar 14 15:53:34 2019; Machine Name:buxtehudeDebbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/ .
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK