Chrome allowing unauthorized local storage

Discussion in 'privacy problems' started by shuverisan, Feb 29, 2012.

Thread Status:
Not open for further replies.
  1. shuverisan
    Offline

    shuverisan Registered Member

    I wanted to make a new thread for what I already mentioned here
    http://www.wilderssecurity.com/showpost.php?p=2022463&postcount=14

    Chrome, Chromium and Chromium based browsers are allowing cookies to be saved when all local data setting is disabled. I've not found any bug reports or Google support threads talking about this.

    I made a short video clearly showing what I describe.
    http://thesimplecomputer.info/chrome-allowing-all-cookies.html

    Surely this can't be the first time it's been noticed? Does anyone know anything more? Can any Chrome, Chromium, Iron, etc. users add to the list of super special allowed domain cookies?

    So far I've seen:
    Amazon
    Blekko
    Yippy
    Ecosia
    Cluuz
    CNN
    Youtube


    (but on the plus side, Chrome now offers DuckDuckGo as a default search choice on installation)


    Update: 3/2/2012
    According to Mike West, the patched Chrome stable is going through QA checks now so it should be sent out in a browser update at the beginning of next week.

    Update: 3/1/2012
    The patch (code here) is in Chromium build 124404 and later.
    http://commondatastorage.googleapis.com/chromium-browser-continuous/index.html

    Update: 2/29/12
    Got an email from Mike West, they're on it and all should be smoothed out soon. The problem is that Chrome's URLFetcher is ignoring the cookie policy for some search engines and some sites that have internal searching. I have his full explanation on my page (the 2nd link above) and I'll be updating it and this post until the issue is resolved.
    Last edited: Mar 2, 2012
  2. Hungry Man
    Offline

    Hungry Man Registered Member

    File a bug report/ email Mike West? They'll know more than anyone here will I assume.

    edit: And thanks for the new topic, i doubt i'd have seen tha tpost.
    Last edited: Feb 29, 2012
  3. shuverisan
    Offline

    shuverisan Registered Member

    No problem, Hungry. This is urgent and I'm still a bit in disbelief that it's a newfound issue.

    I did file a bug report and I emailed Mike West both the below link and one to my vid. He's usually quick with responses.
    http://code.google.com/p/chromium/issues/detail?id=116253

    Let's see where this goes.
  4. vasa1
    Offline

    vasa1 Registered Member

    I tried www.blekko.com with your instructions and have two cookies. One, searchsessionid expiring Mar 1, 2012 and the other, longsessionid, expiring Feb 26, 2022 !!!

    This is with Chrome 17.0.963.56 on Ubuntu.

    I starred the bug.
    Last edited: Feb 29, 2012
  5. Hungry Man
    Offline

    Hungry Man Registered Member

    I sent Mike a message with a link to your article when you posted it - I should have said that lol he got back to me a while ago.

    Mike West - Thanks. That does indeed look like a bad bug, and I can reproduce it on stable (but not on Canary). Flagging it, looking into it.
  6. m00nbl00d
    Offline

    m00nbl00d Registered Member

    I accessed Blekko and even allowed JavaScript (just in case), and see no cookies. I'm using Chromium Developer Build 124016 Windows.

    Then again, I've got a freakish Chromium profiling system... :D

    -edit-

    A relative of mine is using Google Chrome (stable channel) and I'll see if it does store cookies.
  7. pandorax
    Offline

    pandorax Registered Member

    amazon, cnn and youtube set cookies on stable 17, Win7 :thumbd:
  8. Hungry Man
    Offline

    Hungry Man Registered Member

    Patch landed on trunk ~45 minutes ago. It'll be merged back to stable and released with the next update.

    -- Mike West
  9. vasa1
    Offline

    vasa1 Registered Member

    OP should get some Google currency :D
  10. vasa1
    Offline

    vasa1 Registered Member

    What about the famous Iron? Did you take a look at that (since no other Iron user has volunteered information)?
  11. Hungry Man
    Offline

    Hungry Man Registered Member

    It's not like Iron really changes much in the code - I seriously doubt it's fixed there.
  12. shuverisan
    Offline

    shuverisan Registered Member

    I certainly did. Iron 16.0.950.0 and 17.0.1000.0 in Windows and Linux, do the exact same thing. I assume Dragon and others do to since urlfetcher is an inherent part of the source that no one would have reason to remove.

    Never heard of Google currency before. The Federal Reserve Act ends this year so maybe G.dolla$ will replace FR notes! :D
  13. vasa1
    Offline

    vasa1 Registered Member

    But it would be nice to get an answer from an actual user, don't you think? After all, I don't think they're that reticent otherwise ;)

    Didn't see OP's post but I would still like to hear from others because it really, really, really shatters my belief that Iron protects its users' privacy if especially they didn't verify that they are actually protecting their users since that's their raison d'etre.

    I think it's this whole rapid release thing that Iron is blindly copying. They owe it to their loyal users to check out the RC more thoroughly.
    Last edited: Feb 29, 2012
  14. Hungry Man
    Offline

    Hungry Man Registered Member

    Is it really so surprising having seen the multitude of evidence against the browser?
  15. vasa1
    Offline

    vasa1 Registered Member

  16. vasa1
    Offline

    vasa1 Registered Member

    Well, at least those claiming to make a better browser than Chrome in terms of PRIVACY should have verified their claims?

    If you don't mind, I'm gonna point a blogger to your post :D
  17. shuverisan
    Offline

    shuverisan Registered Member

    I was expecting at least a few Iron regular users to chime in but this thread has one of the lowest view counts in the subforum. Maybe I shoulda worded the title with something more exciting.
    I am following their progress. I just tried Chromium build 124280 which (from what I can tell) has the patch, no change yet.
    http://build.chromium.org/p/tryserver.chromium/builders/linux_rel/builds/5184

    I admit, I have a hard time following it all too. They have a lot of acronyms and references for other code chunks I've never seen before. M17 to me is the Omega Nebula so I'm learning as I go. :doubt:
    Not at all! The more the merrier.
  18. Hungry Man
    Offline

    Hungry Man Registered Member

    EVIL GOOGLE MALICIouSLY prevents privacy evil evil COOKIES BAD

    M17 means milestone 17.
  19. vasa1
    Offline

    vasa1 Registered Member

    I'm sending you some e-thanks by PM if you don't mind :D
  20. shuverisan
    Offline

    shuverisan Registered Member

    nice, pm responded :cool:
  21. vasa1
    Offline

    vasa1 Registered Member

    which means (to me) that they intend to push out an update to the current stable because we're already at ver. 17.
  22. Hungry Man
    Offline

    Hungry Man Registered Member

    That is indeed what it means.
  23. shuverisan
    Offline

    shuverisan Registered Member

    Chromium is patched and working fine now.
  24. vasa1
    Offline

    vasa1 Registered Member

    Good job! So have you figured out what exactly went wrong? ... in simple terms please!
  25. shuverisan
    Offline

    shuverisan Registered Member

    Basically, when OpenSearch (which can be read about here) descriptions (which looks like this) were downloaded by the browser for sites with embedded search features, the browser profile's cookie rules weren't followed.

    I didn't know Amazon basically created OpenSearch. I thought that was a Google effort.
Thread Status:
Not open for further replies.