David Balaban

@david.w.balaban

How Browsers Help Us Lose Privacy (New Tricks)

Did you know that every file we download from the Internet with a browser’s help stores in its extended attributes (in the inode, not in the file itself) a full web link leading to where it was downloaded from? When I first found it, I was very excited and wanted to immediately rush to save the world. Later, having studied this issue a bit, reading “commits” and “comments”, I understood this feature was introduced into the GNU / Linux kernel at least 10 years ago. It is used not only by browsers, but also, for example, by very popular Wget utility, and that this feature is considered almost a norm in Linux and, as it turned out later, in MacOS.

So, yes, each file downloaded with the help of any Chromium-compatible browser, writes in the extended file attributes (hidden in the depths of the file system) this type of info:

i@ars:~$ getfattr -d hackread-logo.png

# file: hackread-logo.png

user.xdg.origin.url=”https://www.******.com/wp-content/uploads/2015/12/hackread-logo.png"

user.xdg.referrer.url=”https://www. ******.com/wp-content/uploads/2015/12/hackread-logo.png”

At the same time, all browsers honestly do not write anything if you download the file in incognito/private browsing mode.

As for Firefox and Pale Moon, these guys do not do this sort of things. I did not check the whole bunch of programs for browsing the Internet, but I think that everything based on Chromium does it, the rest are more likely do not.

In macOS, this feature also works in Chrome and in Safari. I did not check it in FF, but I suppose that the beautifully-minded Firefox for macOS is also deprived of this “privilege”, as in Linux. It is explained that this feature is used to determine the place the file was downloaded from and thanks to the presence of this attribute in macOS a warning about the danger can be shown to users. Hmm… Strange…

We are moving smoothly to Microsoft. Windows is definitely mediocre and spies for everyone with blatant cynicism. Windows, using NTFS, has a lot of hidden loopholes for writing anything into the extended attributes of files. They are called Streams. They say that viruses like to write something into these Streams hidden by the file system since all other programs rarely use them.

I cannot say anything definite about Windows as I have not used Windows for the last 10 years. When I first approached Win 10, I did not notice the fact that Google Chrome writes links into the extended NTFS attributes just like it does in Linux and MacOS. Form the first glance it looks good but it is also stated that the Streams have several layers and not all of them are directly accessible.

I ask you in advance to refuse from comments like: “So what, I have nothing to hide”. In general, we all, as a rule, have nothing to hide too.

Summarizing I can say that in all three popular operating systems: Linux, MacOS, and Windows — browsers, primarily Chrome and Chromium-based, write the path to the source of the downloaded files (doing it at the file system level).

In Linux, Google Chrome-based browsers write the full link to the original file location in the fields: user.xdg.referrer.url and user.xdg.origin.url. This is done using the features of the Linux kernel, which appeared in it as early as 2002 in the form of extended file attributes under the general name xattr, which are available in almost all popular FS: ext2, ext3, ext4, ReiserFS, XFS, ZFS, Btrfs,. You can disable support for extended attributes with kernel options, but it is used for containerization (attributes for namespaces), SELinux.

These fields are used by some programs like, for example, the Chrome, Chromium, Opera browsers mentioned above in the article, Firefox and Wget console utility in some cases, and also, according to Wikipedia: curl, Dropbox, Beagle, OpenStack, Swift, KDE.

The latest version of Wget 1.20 does not write anything (I have 1.19 — it is writing). Apparently, the discussion is periodically held among the developers — to include or not include such a feature in the next release.

In general, there are no restrictions on the creation and management of extended attribute fields in Linux. You can write any information you want to the extended attributes. At the kernel level, the limitations are 255 bytes for the name and up to 64KB for the field value.

The situation is similar in MacOS and Windows with their FS HFS + and NTFS. With the only difference that these attributes are differently called, hidden and shown.

In Ubuntu 18.10, you will not see them in the default Nautilus file manager until you install the attr package, which includes utilities for viewing and setting attr attributes (getfattr and setfattr, respectively).

On Mac computers, you can see them either in the Finder or using the built-in xattr.

In Windows, they say, only the flag of the hidden link in the file properties is visible.

There are many options for avoiding writing information or deleting links to files for one or another operating system. For example, for Linux, I liked the simple idea of ​​mounting into a folder where browser files will be downloaded to another file system — without the default attribute writing flag.

A good idea is ​​disabling attributes during the mount phase in / etc / fstab — mount -o nouser_xattr

One more way is to clean this way:

Linux:

setfattr -hx user.xdg.origin.URL file-name

MacOS:

xattr -c -r ~ / Downloads

Windows:

get-childitem “D: \ Downloads \” | unblock-file

The ability to add any fields to the file and fill them with values, which appeared quite a long time ago (in Linux in 2002), began to be used to write the full path to the download source quite recently. Somewhere after 2015–2016. In Windows, this function was “brought” only in Windows XP.

I will repeat a simple thought: It is not strange that such a function exists, it is strange that it appeared quietly and everywhere. It seems to me, such questions must be controlled and decided by us — the users. Ordinary users who care about their privacy should use VPN services and always turn on the Incognito mode in their browsers.

More by David Balaban

Topics of interest

More Related Stories