"Reset Safari" doesn't really clean all the cookies of Safari web browser
http://eldar.cz/kangaroo/binarni-sxizofrenie/apple-safari-cookies-clean.html bye, k. ----- "Reset Safari" doesn't really clean all the cookies of Safari web browser ========================================================================= "Caches - This folder has the potential to be a gold mine of historical data for the examiner. The contents include information of application usage, web sites visited, buddy lists, downloaded files, etc. The best general advice that can be given regarding this directory is explore. Look in the folders here and see how the information may apply to your specific case. Keep in mind that many folders here will remain even after an application has been removed from the system" --Ryan R. Kubasiak, Investgator - New York State Police: Macintosh Forensics // http://www.appleexaminer.com/Downloads/MacForensics.pdf Apple Safari web browser version 5 and higher started to have a new "privacy option" in a main menu, "Reset Safari". It's supposed to clean all the private data saved by the browser. Instead of that it's giving the user a false sense of privacy, because many other files survive on the computer's hard drive. Let's see, how precise is Safari when cleaning cookies Reset Safari... --> Remove all cookies. Done. But something resides in ~/Library/Safari/LocalStorage still: cd ~/Library/Safari/LocalStorage ls http_www.youtube.com_0.localstorage https_www.facebook.com_0.localstorage ... [and hunderds of others] whats inside? sqlite3 http_www.youtube.com_0.localstorage .dump BEGIN TRANSACTION; CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL); INSERT INTO "ItemTable" VALUES('yt-remote-device-id','{"data":"ef1e670e-d0ff-4ac2-a4ec-ea7b1f91b6f4","expiration":1396358291019,"creation":1364822291019}'); INSERT INTO "ItemTable" VALUES('cu-done','{"data":"true","expiration":1384738700399,"creation":1382060300400}'); INSERT INTO "ItemTable" VALUES('aid::oa39bdt6ZKAF5L3hdJEbOw','{"data":{"channel":"oa39bdt6ZKAF5L3hdJEbOw","aid":"P-kM2wl4AcM","origin":"AD_VIEW"},"expiration":1383696461512,"creation":1383091661512}'); INSERT INTO "ItemTable" VALUES('aid::6E_87l8TH6Q9OwX2N1ikZA','{"data":{"channel":"6E_87l8TH6Q9OwX2N1ikZA","aid":"P6Q1Jmt-VRA","origin":"AD_VIEW"},"expiration":1383698806856,"creation":1383094006856}'); INSERT INTO "ItemTable" VALUES('aid::bounded-collectable-storage','{"data":["fehakku7t4FXozPO-UPNwQ","P7o4B-EdYBRetrs-74SvkQ","SVYixA33WdNBOX_Huv89cQ","oa39bdt6ZKAF5L3hdJEbOw","6E_87l8TH6Q9OwX2N1ikZA","MAKFkooFBHOZnbF5zim-vA"],"creation":1383097633307}'); INSERT INTO "ItemTable" VALUES('history_channel_::MAKFkooFBHOZnbF5zim-vA','{"data":"20131030:a","expiration":1383702433304,"creation":1383097633304}'); INSERT INTO "ItemTable" VALUES('aid::MAKFkooFBHOZnbF5zim-vA','{"data":{"channel":"MAKFkooFBHOZnbF5zim-vA","aid":"P9jo8l6hThA","origin":"AD_VIEW"},"expiration":1383702433307,"creation":1383097633307}'); INSERT INTO "ItemTable" VALUES('history_channel_::bounded-collectable-storage','{"data":["SVYixA33WdNBOX_Huv89cQ","Ro_cfj3eVyJFMfzLAcVUOQ","MAKFkooFBHOZnbF5zim-vA"],"creation":1383097633305}'); INSERT INTO "ItemTable" VALUES('context-PSAOXkf0-oU','{"data":"{\"clickindex\":0,\"items\":[{\"type\":\"video\",\"id\":\"PSAOXkf0-oU\",\"time\":\"1:39\",\"title\":\"\\\"The Hobbit\\\" Couch Gag from \\\"4 Regrettings and A Funeral\\\" | THE SIMPSONS | ANIMATION on FOX\",\"user\":\"Animation Domination\",\"views\":\"5,283,212 views\"},{\"type\":\"video\",\"id\":\"nIsCs9_-LP8\",\"time\":\"2:13\",\"title\":\"Emotional baby! Too cute!\",\"user\":\"Alain Leroux\",\"views\":\"20,588,479 views\"},{\"type\":\"video\",\"id\":\"Ts-DW4_aSYI\",\"time\":\"1:53\",\"title\":\"Browse the web with elinks\",\"user\":\"JWAGVideo\",\"views\":\"2,277 etc.... Another place where unknown content resides is Adobe Flash's LSO cookie cache, located at: ~/Library/Caches/Adobe/Flash Player/ // https://en.wikipedia.org/wiki/Local_shared_object The most interesting is this file: ~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist Suspicious is especially the fact, the file is hidden (starting with a dot) and saved in 'History folder', bypassing probably "Clean Cookies.." function. Some users have met this under unknown conditions. The puropose of this file is still not well known. // http://hintsforums.macworld.com/showthread.php?t=144954 If you get it, analyze! solution: setup shell script (example): #/bin/sh echo "cleaning out safari's shit..."; # initial curiousity. # if ls "~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist"; then echo "HOOOOORRAAAY! You won a jackpot!" read -p "Press [Enter] key to delete all, [CTRL+C] to examine..." fi # using tool srm from ports instead of rm, to wipe the files in more safe # way # if you don't have srm, use rm, but be aware that the files could be # recovered # flash is keeping it's own LSO cookies, independently srm -rsv "~/Library/Caches/Adobe/Flash Player/" # cache contains Webpage previews, for example screenshots of your webmail # account you just logged out from srm -rsv "~/Library/Caches/com.apple.Safari/" # clean them all, god will sort them out # maybe you will need a more gentle setting, i'm just rough and don't need # Safari's bookmarks srm -rsv "~/Library/Safari/" # depending on the version, you also have to wipe out this folder # for sure # explore by yourself and check for opened (using 'lsof' tool) http://hintsforums.macworld.com/showthread.php?t=144954and changed files srm -rsv "~/Library/Caches/Metadata/Safari/" # official place where cookies are stored in srm -rsv "~/Library/Cookies/" # quicktime is during the Internet usage also storing some "caches" srm -rsv "~/Library/Caches/QuickTime/downloads/" # to get another false security feeling echo "...clean!"; # go through cache files of your favourite application as well. # skype is also storing quite a lot you can run this script on regular basis by cron or by hand after finishing the work and leaving the computer for example, or on logout etc.... Safer with Safari Application quit. It's like cleaning the hands. You wash them after touching something rotten. And you clean them before touching something clean. EOF Comments requested
Dnia czwartek, 9 stycznia 2014 18:25:22 Klokanek pisze:
http://eldar.cz/kangaroo/binarni-sxizofrenie/apple-safari-cookies-clean.html
I think that's actually the case with all the browsers. Consider: http://en.wikipedia.org/wiki/Evercookie We need to create a way to easily delete everything related to a given website, or simply everything -- be it LocalStorage, Flash cookies and whatnot. -- Pozdr rysiek
Use a virtual machine then roll back after each session. -- Lance Cottrell Sent from my iPad
On Jan 9, 2014, at 11:38 AM, rysiek <rysiek@hackerspace.pl> wrote:
Dnia czwartek, 9 stycznia 2014 18:25:22 Klokanek pisze:
http://eldar.cz/kangaroo/binarni-sxizofrenie/apple-safari-cookies-clean.html
I think that's actually the case with all the browsers. Consider: http://en.wikipedia.org/wiki/Evercookie
We need to create a way to easily delete everything related to a given website, or simply everything -- be it LocalStorage, Flash cookies and whatnot.
-- Pozdr rysiek
Thu, Jan 09, 2014 at 08:38:50PM +0100, rysiek pise:
Dnia czwartek, 9 stycznia 2014 18:25:22 Klokanek pisze:
http://eldar.cz/kangaroo/binarni-sxizofrenie/apple-safari-cookies-clean.html
I think that's actually the case with all the browsers. Consider: http://en.wikipedia.org/wiki/Evercookie
True.
We need to create a way to easily delete everything related to a given website, or simply everything -- be it LocalStorage, Flash cookies and whatnot.
My script delete simply everything. Advancing welcomed. Much more interesting seems to be the file: ~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist No satisfactory description found and seems to resists "History clean" as well... Unable to simulate the conditions to get the file again. Did anyone?
Does the script address Flash object storage and other active content data stores? Browser fingerprint is also an issue. -Lance -- Lance Cottrell loki@obscura.com On Jan 10, 2014, at 6:36 AM, Klokanek <klokanek@eldar.cz> wrote:
Thu, Jan 09, 2014 at 08:38:50PM +0100, rysiek pise:
Dnia czwartek, 9 stycznia 2014 18:25:22 Klokanek pisze:
http://eldar.cz/kangaroo/binarni-sxizofrenie/apple-safari-cookies-clean.html
I think that's actually the case with all the browsers. Consider: http://en.wikipedia.org/wiki/Evercookie
True.
We need to create a way to easily delete everything related to a given website, or simply everything -- be it LocalStorage, Flash cookies and whatnot.
My script delete simply everything. Advancing welcomed.
Much more interesting seems to be the file: ~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist No satisfactory description found and seems to resists "History clean" as well... Unable to simulate the conditions to get the file again. Did anyone?
participants (3)
-
Klokanek
-
Lance Cottrell
-
rysiek