"Reset Safari" doesn't really clean all the cookies of Safari web browser

Klokanek klokanek@eldar.cz
Thu Jan 9 09:25:22 PST 2014


http://eldar.cz/kangaroo/binarni-sxizofrenie/apple-safari-cookies-clean.html
bye,
k.

-----

"Reset Safari" doesn't really clean all the cookies of Safari web browser
=========================================================================


"Caches - This folder has the potential to be a gold mine of historical
data for the examiner.  The contents include information of application
usage, web sites visited, buddy lists, downloaded files, etc.  The best
general advice that can be given regarding this directory is explore.  Look
in the folders here and see how the information may apply to your specific
case.  Keep in mind that many folders here will remain even after an
application has been removed from the system"
--Ryan R. Kubasiak, Investgator - New York State Police: Macintosh Forensics
// http://www.appleexaminer.com/Downloads/MacForensics.pdf


Apple Safari web browser version 5 and higher started to have a new "privacy
option" in a main menu, "Reset Safari".  It's supposed to clean all the
private data saved by the browser.  Instead of that it's giving the user a
false sense of privacy, because many other files survive on the computer's
hard drive.


Let's see, how precise is Safari when cleaning cookies 


Reset Safari... --> Remove all cookies. 
Done.

But something resides in ~/Library/Safari/LocalStorage still:

cd ~/Library/Safari/LocalStorage
ls 

http_www.youtube.com_0.localstorage
https_www.facebook.com_0.localstorage
...

[and hunderds of others]

whats inside? 

sqlite3 http_www.youtube.com_0.localstorage .dump

BEGIN TRANSACTION;
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT
NULL ON CONFLICT FAIL);
INSERT INTO "ItemTable"
VALUES('yt-remote-device-id','{"data":"ef1e670e-d0ff-4ac2-a4ec-ea7b1f91b6f4","expiration":1396358291019,"creation":1364822291019}');
INSERT INTO "ItemTable"
VALUES('cu-done','{"data":"true","expiration":1384738700399,"creation":1382060300400}');
INSERT INTO "ItemTable"
VALUES('aid::oa39bdt6ZKAF5L3hdJEbOw','{"data":{"channel":"oa39bdt6ZKAF5L3hdJEbOw","aid":"P-kM2wl4AcM","origin":"AD_VIEW"},"expiration":1383696461512,"creation":1383091661512}');
INSERT INTO "ItemTable"
VALUES('aid::6E_87l8TH6Q9OwX2N1ikZA','{"data":{"channel":"6E_87l8TH6Q9OwX2N1ikZA","aid":"P6Q1Jmt-VRA","origin":"AD_VIEW"},"expiration":1383698806856,"creation":1383094006856}');
INSERT INTO "ItemTable"
VALUES('aid::bounded-collectable-storage','{"data":["fehakku7t4FXozPO-UPNwQ","P7o4B-EdYBRetrs-74SvkQ","SVYixA33WdNBOX_Huv89cQ","oa39bdt6ZKAF5L3hdJEbOw","6E_87l8TH6Q9OwX2N1ikZA","MAKFkooFBHOZnbF5zim-vA"],"creation":1383097633307}');
INSERT INTO "ItemTable"
VALUES('history_channel_::MAKFkooFBHOZnbF5zim-vA','{"data":"20131030:a","expiration":1383702433304,"creation":1383097633304}');
INSERT INTO "ItemTable"
VALUES('aid::MAKFkooFBHOZnbF5zim-vA','{"data":{"channel":"MAKFkooFBHOZnbF5zim-vA","aid":"P9jo8l6hThA","origin":"AD_VIEW"},"expiration":1383702433307,"creation":1383097633307}');
INSERT INTO "ItemTable"
VALUES('history_channel_::bounded-collectable-storage','{"data":["SVYixA33WdNBOX_Huv89cQ","Ro_cfj3eVyJFMfzLAcVUOQ","MAKFkooFBHOZnbF5zim-vA"],"creation":1383097633305}');
INSERT INTO "ItemTable"
VALUES('context-PSAOXkf0-oU','{"data":"{\"clickindex\":0,\"items\":[{\"type\":\"video\",\"id\":\"PSAOXkf0-oU\",\"time\":\"1:39\",\"title\":\"\\\"The
Hobbit\\\" Couch Gag from \\\"4 Regrettings and A Funeral\\\" | THE SIMPSONS | ANIMATION on FOX\",\"user\":\"Animation Domination\",\"views\":\"5,283,212
views\"},{\"type\":\"video\",\"id\":\"nIsCs9_-LP8\",\"time\":\"2:13\",\"title\":\"Emotional
baby! Too cute!\",\"user\":\"Alain Leroux\",\"views\":\"20,588,479
views\"},{\"type\":\"video\",\"id\":\"Ts-DW4_aSYI\",\"time\":\"1:53\",\"title\":\"Browse
the web with elinks\",\"user\":\"JWAGVideo\",\"views\":\"2,277



etc....

Another place where unknown content resides is Adobe Flash's LSO cookie
cache, located at: 

~/Library/Caches/Adobe/Flash Player/

// https://en.wikipedia.org/wiki/Local_shared_object


The most interesting is this file:
~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist

Suspicious is especially the fact, the file is hidden (starting with a dot)
and saved in 'History folder', bypassing probably "Clean Cookies.."
function.
Some users have met this under unknown conditions. 
The puropose of this file is still not well known. 
// http://hintsforums.macworld.com/showthread.php?t=144954
If you get it, analyze!


solution:


setup shell script (example):

#/bin/sh
echo "cleaning out safari's shit...";


# initial curiousity. 
#
if ls "~/Library/Caches/Metadata/Safari/History/.tracked\ filenames.plist";
then
    echo "HOOOOORRAAAY! You won a jackpot!"
    read -p "Press [Enter] key to delete all, [CTRL+C] to examine..."
fi



# using tool srm from ports instead of rm, to wipe the files in more safe
# way 
# if you don't have srm, use rm, but be aware that the files could be
# recovered

# flash is keeping it's own LSO cookies, independently
srm -rsv "~/Library/Caches/Adobe/Flash Player/"

# cache contains Webpage previews, for example screenshots of your webmail
# account you just logged out from
srm -rsv "~/Library/Caches/com.apple.Safari/"

# clean them all, god will sort them out
# maybe you will need a more gentle setting, i'm just rough and don't need
# Safari's bookmarks
srm -rsv "~/Library/Safari/"

# depending on the version, you also have to wipe out this folder
# for sure
# explore by yourself and check for opened (using 'lsof' tool)  
http://hintsforums.macworld.com/showthread.php?t=144954and changed files 
srm -rsv "~/Library/Caches/Metadata/Safari/"


# official place where cookies are stored in
srm -rsv "~/Library/Cookies/"

# quicktime is during the Internet usage also storing some "caches"
srm -rsv "~/Library/Caches/QuickTime/downloads/"

# to get another false security feeling
echo "...clean!";


# go through cache files of your favourite application as well.
# skype is also storing quite a lot 


you can run this script on regular basis by cron or by hand after finishing
the work and leaving the computer for example, or on logout etc.... Safer
with Safari Application quit.

It's like cleaning the hands. You wash them after touching something rotten. 
And you clean them before touching something clean. 




EOF
Comments requested





More information about the cypherpunks mailing list