Debian Bug report logs - #883746
chromium: secretly stores referer and url for downloaded files

version graph

Package: chromium; Maintainer for chromium is Debian Chromium Team <chromium@packages.debian.org>; Source for chromium is src:chromium (PTS, buildd, popcon).

Reported by: Adam Borowski <kilobyte@angband.pl>

Date: Thu, 7 Dec 2017 05:45:02 UTC

Severity: important

Found in version chromium-browser/62.0.3202.89-1

Forwarded to http://crbug.com/733943

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>:
Bug#883746; Package chromium. (Thu, 07 Dec 2017 05:45:04 GMT) (full text, mbox, link).


Acknowledgement sent to Adam Borowski <kilobyte@angband.pl>:
New Bug report received and forwarded. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>. (Thu, 07 Dec 2017 05:45:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Adam Borowski <kilobyte@angband.pl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: chromium: secretly stores referer and url for downloaded files
Date: Thu, 07 Dec 2017 06:40:23 +0100
Package: chromium
Version: 62.0.3202.89-1
Severity: important

Hi!
If you download and save a file with Chromium (even in incognito mode), it
saves potentially sensitive metadata in a way that's completely unknown to
almost all users, even highly technical ones:

user.xdg.referrer.url: https://angband.pl/tmp/
user.xdg.origin.url: https://angband.pl/tmp/20130210_001.jpg

This photo is embarassing, but not overwhelmingly so.  It also, on its own,
appears to include no way to tie to me in particular.  There's EXIF but,
coming from a sane camera, it has no GPS data or whatever.  Yet, once the
URL is smuggled, the link to me is obvious, and it's easy to distort the
image's story into something that could get someone fired or otherwise
publicly shamed (based on typical kitten behaviour).

And it can get worse: imagine (werewolf protection) a kiddie porn image,
or a secret government file ("Hillary and Donald, sitting in a tree,
K.I.S.S.I.N.G.jpg").

In this case, referer is uninteresting, but it can be as bad or worse than
the URL itself.

This is a concern when the file is copied to any xattr-preserving media,
such as an USB stick or a CIFS mount -- or, if your computer itself is
imaged/accessed.


Meow!
-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (150, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-rc2-debug-00195-g50510b7395bf (SMP w/5 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages chromium depends on:
ii  chromium-common      62.0.3202.89-1
ii  libasound2           1.1.3-5
ii  libatk1.0-0          2.26.1-1
ii  libavcodec57         7:3.4-4
ii  libavformat57        7:3.4-4
ii  libavutil55          7:3.4-4
ii  libc6                2.25-3
ii  libcairo2            1.15.8-2
ii  libcups2             2.2.6-2
ii  libdbus-1-3          1.12.2-1.0nosystemd1
ii  libevent-2.1-6       2.1.8-stable-4
ii  libexpat1            2.2.3-2
ii  libflac8             1.3.2-1
ii  libfontconfig1       2.12.6-0.1
ii  libfreetype6         2.8.1-0.1
ii  libgcc1              1:7.2.0-17
ii  libgdk-pixbuf2.0-0   2.36.11-1
ii  libglib2.0-0         2.54.2-1
ii  libgtk2.0-0          2.24.31-4
ii  libharfbuzz0b        1.7.1-1
ii  libicu57             57.1-8
ii  libjpeg62-turbo      1:1.5.2-2+b1
ii  liblcms2-2           2.8-4
ii  libminizip1          1.1-8+b1
ii  libnspr4             2:4.16-1+b1
ii  libnss3              2:3.34-1
ii  libopus0             1.2.1-1
ii  libpango-1.0-0       1.40.13-2
ii  libpangocairo-1.0-0  1.40.13-2
ii  libpng16-16          1.6.34-1
ii  libpulse0            11.1-3.0nosystemd1
ii  libre2-3             20170101+dfsg-1
ii  libsnappy1v5         1.1.7-1
ii  libstdc++6           7.2.0-17
ii  libvpx4              1.6.1-3
ii  libwebp6             0.6.0-4
ii  libwebpdemux2        0.6.0-4
ii  libwebpmux3          0.6.0-4
ii  libx11-6             2:1.6.4-3
ii  libx11-xcb1          2:1.6.4-3
ii  libxcb1              1.12-1
ii  libxcomposite1       1:0.4.4-2
ii  libxcursor1          1:1.1.14-3
ii  libxdamage1          1:1.1.4-3
ii  libxext6             2:1.3.3-1+b2
ii  libxfixes3           1:5.0.3-1
ii  libxi6               2:1.7.9-1
ii  libxml2              2.9.4+dfsg1-5.1
ii  libxrandr2           2:1.5.1-1
ii  libxrender1          1:0.9.10-1
ii  libxslt1.1           1.1.29-5
ii  libxss1              1:1.2.2-1+b2
ii  libxtst6             2:1.2.3-1
ii  zlib1g               1:1.2.8.dfsg-5

Versions of packages chromium recommends:
ii  fonts-liberation  1:1.07.4-5

Versions of packages chromium suggests:
pn  chromium-driver    <none>
pn  chromium-l10n      <none>
pn  chromium-shell     <none>
pn  chromium-widevine  <none>

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>:
Bug#883746; Package chromium. (Sat, 09 Dec 2017 02:03:03 GMT) (full text, mbox, link).


Acknowledgement sent to Adam Borowski <kilobyte@angband.pl>:
Extra info received and forwarded to list. Copy sent to Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>. (Sat, 09 Dec 2017 02:03:04 GMT) (full text, mbox, link).


Message #10 received at 883746@bugs.debian.org (full text, mbox, reply):

From: Adam Borowski <kilobyte@angband.pl>
To: 883746@bugs.debian.org
Subject: chromium on Windows
Date: Sat, 9 Dec 2017 03:00:19 +0100
For comparison, Chromium on Windows doesn't have this privacy hole:

ꜰɪʟᴇ: user.Zone.Identifier: [ZoneTransfer]
ZoneId=3

(Ie, it saves merely whether the file came from this computer, local
network, or the Interwebs at large.)


I assume Chromium on Android does, which is a lot worse than regular
computers, as phones get seized/imaged/stolen drastically more often.


Meow!
-- 
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets.  Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable And Non-Discriminatory prices.



Set Bug forwarded-to-address to 'http://crbug.com/733943'. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 11 Feb 2018 03:39:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Team <chromium-browser@packages.debian.org>:
Bug#883746; Package chromium. (Mon, 17 Sep 2018 13:51:11 GMT) (full text, mbox, link).


Acknowledgement sent to Ken Yap <kenyap.com.au@hotmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <chromium-browser@packages.debian.org>. (Mon, 17 Sep 2018 13:51:11 GMT) (full text, mbox, link).


Message #17 received at 883746@bugs.debian.org (full text, mbox, reply):

From: Ken Yap <kenyap.com.au@hotmail.com>
To: "883746@bugs.debian.org" <883746@bugs.debian.org>
Subject: chromium: secretly stores referer and url for downloaded files
Date: Mon, 17 Sep 2018 13:49:23 +0000
This is tangentially related but I found that GNU wget (1.19.5 on my
system) also stores this information, and there is no way to turn it
off; it's not mentioned in the documentation. I wonder what the FSF's
take is on this.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Team <chromium@packages.debian.org>:
Bug#883746; Package chromium. (Fri, 15 Mar 2019 03:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to Ken Yap <kenyap.com.au@hotmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <chromium@packages.debian.org>. (Fri, 15 Mar 2019 03:33:02 GMT) (full text, mbox, link).


Message #22 received at 883746@bugs.debian.org (full text, mbox, reply):

From: Ken Yap <kenyap.com.au@hotmail.com>
To: "883746@bugs.debian.org" <883746@bugs.debian.org>
Subject: Re: chromium: secretly stores referer and url for downloaded files
Date: Fri, 15 Mar 2019 03:30:41 +0000
[Message part 1 (text/plain, inline)]
I've been asked where wget stores the URL. Same place as Chromium, in the extended attributes. Here is my blog entry recounting my small investigation:

https://green-possum-today.blogspot.com/2018/09/chromechromium-is-storing-url-and.html
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Team <chromium@packages.debian.org>:
Bug#883746; Package chromium. (Sun, 17 Mar 2019 16:42:03 GMT) (full text, mbox, link).


Acknowledgement sent to Adam Borowski <kilobyte@angband.pl>:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <chromium@packages.debian.org>. (Sun, 17 Mar 2019 16:42:03 GMT) (full text, mbox, link).


Message #27 received at 883746@bugs.debian.org (full text, mbox, reply):

From: Adam Borowski <kilobyte@angband.pl>
To: Ken Yap <kenyap.com.au@hotmail.com>, 883746@bugs.debian.org
Subject: Re: Bug#883746: chromium: secretly stores referer and url for downloaded files
Date: Sun, 17 Mar 2019 17:38:47 +0100
On Fri, Mar 15, 2019 at 03:30:41AM +0000, Ken Yap wrote:
> I've been asked where wget stores the URL.  Same place as Chromium, in the
> extended attributes.  Here is my blog entry recounting my small
> investigation:
> 
> https://green-possum-today.blogspot.com/2018/09/chromechromium-is-storing-url-and.html

The patch for wget has been written by a Google employee who works on
Chrome.  And, it has just (2018-12-26) been both disabled by default and
neutered wrt what it saves even when manually enabled:

# * Changes in Wget 1.20.1
#
# ** --xattr is no longer default since it introduces privacy issues.
#
# ** --xattr saves the Referer as scheme/host/port, user/pw/path/query/fragment
#    are no longer saved to prevent privacy issues.
#
# ** --xattr saves the Original URL without user/password to prevent
#    privacy issues.

I'd say the same should be done in Debian-shipped Chromium.


Meow!
-- 
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Did ya know that typing "test -j8" instead of "ctest -j8"
⢿⡄⠘⠷⠚⠋⠀ will make your testsuite pass much faster, and fix bugs?
⠈⠳⣄⠀⠀⠀⠀



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Chromium Team <chromium@packages.debian.org>:
Bug#883746; Package chromium. (Mon, 26 Oct 2020 13:21:08 GMT) (full text, mbox, link).


Acknowledgement sent to drsibelj51@gmail.com:
Extra info received and forwarded to list. Copy sent to Debian Chromium Team <chromium@packages.debian.org>. (Mon, 26 Oct 2020 13:21:08 GMT) (full text, mbox, link).


Message #32 received at 883746@bugs.debian.org (full text, mbox, reply):

From: Dr Sibel Jihan Wright <onyiijaja@yahoo.com>
Subject: GOOD DAY
Date: Mon, 26 Oct 2020 13:18:18 +0000 (UTC)



Hi, this is Miss Sibel US Army and Medical practitioner from United States. Please I will need you to contact me through my email for an important discussion. Thanks and remain blessed  



Message sent on to Adam Borowski <kilobyte@angband.pl>:
Bug#883746. (Wed, 03 May 2023 23:21:02 GMT) (full text, mbox, link).


Message #35 received at 883746-submitter@bugs.debian.org (full text, mbox, reply):

From: Andres Salomon <dilinger@queued.net>
To: 883746-submitter@bugs.debian.org
Subject: Re: Bug#883746: chromium: secretly stores referer and url for downloaded files
Date: Wed, 03 May 2023 19:17:50 -0400
On Sun, 17 Mar 2019 17:38:47 +0100 Adam Borowski <kilobyte@angband.pl> 
wrote:
> On Fri, Mar 15, 2019 at 03:30:41AM +0000, Ken Yap wrote:
> > I've been asked where wget stores the URL.  Same place as 
Chromium, in the
> > extended attributes.  Here is my blog entry recounting my small
> > investigation:
> >
> > 
https://green-possum-today.blogspot.com/2018/09/chromechromium-is-storing-url-and.html
>
> The patch for wget has been written by a Google employee who works on
> Chrome.  And, it has just (2018-12-26) been both disabled by default 
and
> neutered wrt what it saves even when manually enabled:
>
> # * Changes in Wget 1.20.1
> #
> # ** --xattr is no longer default since it introduces privacy issues.
> #
> # ** --xattr saves the Referer as scheme/host/port, 
user/pw/path/query/fragment
> #    are no longer saved to prevent privacy issues.
> #
> # ** --xattr saves the Original URL without user/password to prevent
> #    privacy issues.
>
> I'd say the same should be done in Debian-shipped Chromium.
>

Did upstream change this behavior? i'm just looking at this bug now, 
and I'm unable to reproduce it. If I use wget --xattr, I can see it:

dilinger@5410:/tmp$ wget -q --xattr 
https://github.com/ssokolow/rar-test-files/raw/master/build/testfile.rar3.av.rar
dilinger@5410:/tmp$ getfattr -d testfile.rar3.av.rar
# file: testfile.rar3.av.rar
user.xdg.origin.url="https://raw.githubusercontent.com/ssokolow/rar-test-files/master/build/testfile.rar3.av.rar"
user.xdg.referrer.url="https://github.com"


But if I download the same file with chromium (113.0.5672.63-1):

dilinger@5410:/tmp$ rm testfile.rar3.av.rar
dilinger@5410:/tmp$ getfattr -d testfile.rar3.av.rar
dilinger@5410:/tmp$







Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri May 26 10:24:45 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.