Found Security Compromise in Sandboxie

Peter. Listen carefully to what I say.... This is not operator error, it's a genuine privacy breach in Sandboxie. All I did was save an mpeg WHILST USING SANDBOXIE, and when I cleaned out Sandboxie, I learned that Sandboxie had allowed data to be written OUTSIDE the Sandbox, proving Sandbox is flawed and not doing what it claims.

 

Pete, I am wondering about you. Why is your head in the sandbox? (excuse the pun).

It seems you are so loyal to Sandbox and so scared of any privacy or security breaches that you are not willing to open minded and without bias look at the evidence of a privacy breach found in Sandboxie.

I stated in the other message exactly what I did, and it's normal user behaviour of saving a file, and Sandbox FAILED by writing data OUTSIDE of the Sandbox and OUTSIDE of the initial saved location of the mpeg.

And what's more disturbing is... that the saved window was ALSO SANDBOXED, yet it still wrote data OUTSIDE the Sandbox.

This is a genuine privacy breach that I have found, and you would be wise to take it serious.

 

Exactly!

And I have proven that the claim "Enhanced Privacy: Browsing history, cookies, and cached temporary files collected while Web browsing stay in the sandbox and don't leak into Windows. is VERY MISLEADING AND FALSE!

Who exactly do I report this to? And what is their email? Who is the author of Sandboxie?

 

I configured Sandboxie to place a red border around all Sandbox windows.

And the website where I downloaded the mpeg file was Sandboxed, and amazingly, even the download window was also Sandboxed and had a big red border around it. HOWEVER, there was still information saved OUTSIDE the Sandbox.

That is very misleading when Sandbox shows even the download window as being Sandboxed, yet then allows data to be written to C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\

 

Thats because you took the file out of the sandbox,

If you keep the file in the sandbox and don't recover it to the desktop then this wouldn't happen,

Once the file is taken out of the sandbox then sandboxie has no control over it.

 

The problem is that Sandboxie allowed writing to C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\

I used Sandboxie, and saved a file to Desktop. Hence, there should only be 2 places data was written, inside Sandbox and a single file to Desktop.

However, in the background, without my knowledge, there was data written to C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\

And if it wasn't for Ccleaner, I would never have known that my Sandbox session had allowed my personal filename to be written OUTSIDE desktop and Sandbox for all the world to see.

There is no escaping this... I have found a legitimate Sandbox privacy breach.

 

That is what I said; I don't know why he keeps on complaining about this supposed sandbox leak.

 

It is inaccurate, because 100% everything I did to save that file to my Desktop was done using Sandbox. No other program was used, I was fully using Sandbox, and the save file box even belongs to Sandboxie.

So hence, it's a Sandbox issue and they are making false and misleading claims on their website, as I have proven.

 

You are DEAD WRONG!!! Sandboxie passed permission to windows to write OUTSIDE the sandbox, which is a mistake and privacy flaw.

I saved the mpeg file USING SANDBOXIE save windows etc. So it's an Sandbox issue and proves it is allowing writing some data OUTSIDE of the Sandbox when it shouldn't.

 

Not even. NOTHING, and I mean it, NOTHING is foolproof/leakproof. There never has been, and there never will be. If anyone wants to keep dreaming, that's their right to do so, but for those of us who want to be sensible, there should always be a "what if?" in our minds. That does not mean you have to be paranoid and afraid there are black helicopters hovering high above your house, but even a half percent chance of something going wrong is still a chance.

 

Funny how you're not over at SandboxIEs' forums, throwing as much of a fit as you are here. I've tried everything I can to repeat your problem on my machine and I simply cannot do it. If you're expecting SandboxIE to be 100% flawless, stop using it and every other bit of software you have, and throw your system in the nearest river, because it's not going to happen. Did you ever stop to think that maybe there is a "Recent" entry in that folder because *gasp*! a "recent" file was "recently" added to your desktop? Once you recover that file from the sandbox, Windows goes on writing down everything you do like it always has.

And again, if this is such a big problem, why the hell aren't you at the forums over there causing as much ruckus as you can?

Edit: This is a waste of time, until he goes over to their forum and complains, this means nada, ziltch.

 

You recovered the file, so you passed permission to windows to write outside the sandbox.

Surely?

philby

 

The sky is falling!!! The sky is falling!!!! Lol

Just who the hell said Sandboxie cures all. Wait a minute, I must have missed that post. Because if true, there isnt a reason for any other vendor to show up here, ever, ever again.

The almighty Sandboxie missed something. Sorry to be dramatic, but whats the problem. Is that any different then a AV missing a piece of malware? Same outcome. I really dont even see the purpose of this thread.

That ul do pig, that ul do.

 

That's because you have no idea where to look afterwards. Believe me, you have traces on your hard drive if you saved any files, and these traces are OUTSIDE the Sandbox.

If you freely choose to ignore this fact, then that is your choice

 

Well, see, that's the issue, DID it miss anything? If the file was recovered before this "problem" occurred, then this whole thing is dead in the water, done, stick a fork in it. And I still an anxious to hear why there is nowhere on Tzuks' forum where this problem has been posted by the OP.

 

No. Because I saved the file using Sandboxie' own save window, which said is sandboxed too, which is obviously isn't. And I saved a file on Desktop, and I never saved data anywhere else, so Sandbox should not have written the data elsewhere.

 

Thanks for informing me of my own education, lol. For YOUR education, I've been repeating downloads within the sandbox for the last 30 minutes, and, if I DON"T recover them, guess what? There's NOTHING. Furthermore, and AGAIN, why are you not posting this over at SandboxIE's forums? The longer you wait to do that, the more foolish you look in my eyes.

 

What's the URL?

 

Tzuk, might be sleeping. Come on folks, if this is true, and it may be, what do you think he will do? He will make it right as he always does.

You can slam the product, but dont slam the inventer.

Ilya, Tzuk, Marcos, Eirik, Joe, Stefan, and on, and on, and on, and on.

 

Easily googled:

http://sandboxie.com/phpbb/

philby

 

here dude

http://sandboxie.com/phpbb/

 

Http://www.sandboxie.com

 

Can you open to the Properties of that .lnk and post what is in the target line?

----
rich

 

We'll certainly see, and I'll be watching sandboxIEs' forums to watch the status. I still think this is simply a case of a file being removed from the sandbox and Windows doing its thing.