Found Security Compromise in Sandboxie

A .lnk (shortcut) file is not written to Recent until the file is opened.

The target in the .lnk file points to the location where the file was opened.

​

With the OP's .lnk -- C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\Horizon-14-Nighttime-2.mpeg.lnk

If the target is C:\Sandbox then the file was in Sandbox when opened and Sandbox did not prevent writing to disk.

If the target is C:\.....\Desktop then the file was on the Desktop when opened, outside of Sandbox control.

Someone with Sandbox can certainly test this.

----
rich

 

OK just a liitle test while in sandboxie I did,I right clicked sandboxie and elevated Admin,run administration.I downloadesd malwarebytes (MBAM) Antispyware.I ran the excutable and once installed I updated its data.Now I looked in program files nothing,Program Data Nothing,User appdata local and temps nothing and user appdata roaming microsoft/windows/recent/empty nothing there either when I closed my browser poof Gone.The privacy is intact when used in that way.

 

That's the way I've always found it to be over the last x number of years too.It seems to be simply a case of file recovered to desktop= no longer sandboxed.

 

Won't really know anything until it gets posted over at SandboxIEs' forums...which hasn't happened still. I call user error still.

 

I've tried replicating this 'security breach' with zero success,so I'm going with a misunderstanding of the quick recovery proceedure.

 

Hi Pete,

Thanks, I see that now.

I wanted to show how the OP's link will put this to rest if he will post the target -- we will know where the file was located when he opened it.

----
rich

 

I saved the file using Sandboxie's own window. This shows a privacy breach contained in Sandbox as its website says NOTHING is written outside of the Sandbox whilst using Sandbox. But I have proven that is not the case, because using Sandbox OWN save window, writes data to outside the Sandbox and outside the save location. That is a breach of privacy that the author needs to address immediately. As I said, if it wasn't for ccleaner and me looking carefully what ccleaner cleaned, I would never have known that data was written outside the Sandbox and Desktop.

 

yes, but if a user is using Sandbox own save window, which by the way is showing me RED BORDER that it's sandboxed, then it should warn the user that there will be now writing to the HD outside the Sandbox AND saved destination.

 

Look now:

http://www.sandboxie.com/phpbb/viewtopic.php?p=32441#32441

 

Lol, the Feature Request forum? Put it in the Official 3.00 and later forum, that one is for problems. Kudos for deciding to post there though, let's see where this goes.

 

Try this:

http://www.sandboxie.com/phpbb/viewtopic.php?t=4911

 

Now you got it, let's see what comes of this.

 

@tonyseeking:
You clearly don't know what you are talking about. In one of your posts, you mentioned very clearly that you recovered the file to your desktop. That is, you moved the file physically out of the sandbox to your desktop. Doing so places the said file out of Sandboxie's protection. Windows then created a .lnk in the Recent folder since it became visible to the real system.

 

Well, he posted it in the sandboxie forum, so let's see what they say.

 

Well, according to here: http://sandboxie.com/phpbb/viewtopic.php?t=4911 , wraithdu seems to be saying what has been said here. If so, CCleaner should destroy this unwanted entry. I'll keep watching for more replies over there.

 

wraithdu (from Sandboxie's forum):
"It's Windows saving a recent file history. The OS does this for any and all apps/files run/opened on your computer. Sandboxie cannot prevent this since it is not being done by the sandboxed app. Do some searching, topics like this (ShellNoRoam, MuiCache, MRU entries, etc.) have been beaten to death."

EDIT: dw426 beat me to it.

 

Hehehe you are making me feel excited about it lol

 

But I saved the file to the Desktop using the Sandbox save window. So as a user, I assumed Sandbox would stop anything being written anywhere else on the HD, but it failed in doing so, and allowed data to be written into a place where it's not even known it's being written there.

 

That is a wrong statement, because it was indeed done by Sandboxie, as I used Sandboxie to save the file. Hence, Sandbox has allowed windows to take over and write to other locations OUTSIDE the sandbox and outside the Dekstop.

Hence, sandbox has failed to keep data within the sandbox.

What should have happened is the mpeg file saved to Desktop and every other bit of data saved INSIDE the Sandbox. But that is not what happened. So Sandbox failed!

 

Can you show us the Target in your link

C:\Users\Tony\AppData\Roaming\Microsoft\Windows\Recent\Horizon-14-Nighttime-2.mpeg.lnk

 

Either you're not understanding how Windows works or there's misinterpretation here. Listen, I KNOW you saved via Sandboxie, it asked you if you wanted to recover the mpeg, right? If so, it left the sandbox and Windows took the file over. The .ink file that is placed after the file leaves the sandbox is done by Windows alone, Sandboxie can't do anything about that. What you deem to be a leak (from the description I'm getting) is nothing more than Windows working like normal.

NOW, if you were finding history files, registry entries from programs tested inside the sandbox that were supposed to be deleted along with the sandbox, or something to that effect, THEN you're right, something is wrong. But what happens with files/entries OUTSIDE the sandbox, cannot be helped by Sandboxie. It's not a cleaning program, you need CCleaner to take care of outside leftovers.

Edit: From your newest post over at Sandboxie, this is exactly what happened. I'm wondering if you think the recovery button means that it will be recovered to the sandbox and not Windows? That's not true, it means whatever you ask to recover goes to the real hard drive. As far as that .ink file, that happens with ALL files you download, it's a normal operation of Windows.

I really hope you're starting to realize that you're alright, there's no breach, no privacy threat, it's just Windows being Windows. You've been come down on kind of hard here, especially by me, but I hope it's getting through to you now that you're perfectly fine.

 

Yes, you did save the file using Sandboxie's window. However, there's a difference between saving inside the sandbox and recovering the file. When you recover, you are permanently committing the file to the system (the real OS). Windows will automatically create that .lnk file as soon as it sees the file.

UPDATE:
tonyseeking, there's no denying that you made a mistake here identifying a normal Windows operation as a potential bug in Sandboxie. Just accept that fact, and everything should be okay. Further discussion about this topic won't really do any good, since we all know what really happened.

 

I don't follow this. Windows creates a .lnk file as soon as a document is opened.

So How is windows creating a .lnk file by just seeing a file after it is moved?

 

You don't have to open the file to create a .lnk (symbolic link). The process of creating it is automatically handled by Windows.