[tbb-bugs] #22867 [Applications/Tor Browser]: us-u.openx.net URL saved in the Tor Browser places.sqlite database as part of the browsing history

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jul 10 09:49:20 UTC 2017 

#22867: us-u.openx.net URL saved in the Tor Browser places.sqlite database as part
of the browsing history
------------------------------------------+----------------------
     Reporter:  cypherpunks               |      Owner:  tbb-team
         Type:  defect                    |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+----------------------
 The situation that I am describing may or may not be due to an error in
 the Tor Browser software ("defect" may not be the best category), but it
 seems somewhat anomalous and may be worth noting and may be of interest to
 others.

 In summary, from what I can tell, an instance of the URL
 https://us-u.openx.net/w/1.0/pd?plm=10&ph=e26121be-304d-460c-
 92c5-0b3d1d4c9b7a (which may well have been embedded in a different page)
 ended up in Tor Browser's [http://kb.mozillazine.org/Places.sqlite
 places.sqlite database] as if it was saved as part of the user's browsing
 history. This on-disk database is used to store such information as
 bookmarks, browsing history, favicons, and annotations, among other
 things. At the same time, from what I understand, Tor Browser is
 preconfigured to not save any browsing history to the disk, and I do not
 remember reconfiguring Tor Browser with the purpose of changing this
 aspect.

 The software configuration in question was a recent version of the Tor
 Browser Bundle (most likely 7.0.2) 32-bit running under Xubuntu Linux
 16.04. I do not remember installing any additional extensions into Tor
 Browser.

 When entering text in the address bar, Tor Browser displayed a list of
 suggestions underneath the address bar. This would be expected. In
 addition to pages that had been bookmarked, however, the list of
 suggestions also included the URL
 https://us-u.openx.net/w/1.0/pd?plm=10&ph=e26121be-304d-460c-
 92c5-0b3d1d4c9b7a. This URL was not among the pages that I had bookmarked
 in the browser. In addition, from what I remember, the inclusion of the
 openx.net URL in the suggestions list happened when text was entered into
 the address bar immediately after Tor Browser had been launched.

 From [https://developer.mozilla.org/en-
 US/docs/Mozilla/Tech/Places/Database information elsewhere], there is an
 SQLite database in a file, '''places.sqlite''', that is used by Tor
 Browser (and Mozilla Firefox) for storing information relating to
 bookmarked sites and browsing history. In the case of the Tor Browser
 Bundle under Xubuntu Linux, the location of this file is `tor-browser_en-
 US/Browser/TorBrowser/Data/Browser/profile.default/places.sqlite`,
 assuming the default root directory `tor-browser_en-US`.

 With the command-line sqlite3 software, I examined the contents of the
 places.sqlite file. For the moz_places table, there were a number of
 entries, including sites that had been bookmarked but also an entry for
 the openx.net URL that had shown up in the suggestions list.

 {{{
 sqlite> select
 id,url,title,rev_host,visit_count,hidden,typed,frecency,datetime((moz_places.last_visit_date/1000000),
 'unixepoch') from moz_places where url like "%openx.net%";
 8|https://us-u.openx.net/w/1.0/pd?plm=10&ph=e26121be-304d-460c-
 92c5-0b3d1d4c9b7a||ten.xnepo.u-su.|1|1|0|-1|2017-06-27 21:59:47
 }}}

 According to the [https://digital-
 forensics.sans.org/blog/2009/07/15/firefox-3-history schema for the
 moz_places table] and the results of the above query, the primary key
 index (`id`) for the openx.net URL is 8. The `hidden` field has a value of
 1, indicating that the URL was one that was not navigated to directly by
 the user (i.e. the URL was for content that was embedded in a page) and
 the `typed` field has a value of 0, indicating that the URL was not typed
 directly into the location bar.

 In the moz_bookmarks table, which holds information about bookmarked
 pages, there is (as expected) no entry for the openx.net URL:

 {{{
 sqlite> select * from moz_bookmarks where fk is 8;
 sqlite>
 }}}

 According to [https://www.forensicmag.com/article/2013/04/mozilla-firefox-
 forensics-part-4 this page], the `fk` column in the moz_bookmarks table
 holds the primary key index for the moz_places entry that was bookmarked.

 The moz_inputhistory table does not appear to contain any entries:

 {{{
 sqlite> select * from moz_inputhistory;
 sqlite>
 }}}

 Notably, the moz_historyvists table does contain a single entry. This
 entry corresponds to the openx.net URL.

 {{{
 sqlite> select id, from_visit, place_id,
 datetime((moz_historyvisits.visit_date/1000000), 'unixepoch'), visit_type
 from moz_historyvisits;
 1|0|8|2017-06-27 21:59:47|5
 }}}

 In the results of the query, the `place_id` column has the value 8, which
 corresponds to the primary key index for the openx.net URL. The
 `visit_type` field has a value of 5, which indicates a permanent redirect,
 according to
 [https://davidkoepi.wordpress.com/2010/11/27/firefoxforensics/ this page].

 As far as whether the openx.net URL has appeared elsewhere, a Web search
 led to this [https://webcookies.org/cookies/kulr8.com/4013627 "Cookie and
 Security Scan Report" for kurl8.com]. In the report, there is mention of a
 similar URL, http://us-u.openx.net/w/1.0/pd?plm=10&ph=e26121be-304d-460c-
 92c5-0b3d1d4c9b7a&bi=1e76f9dc-b164-49ba-aef9-3f1a93d491e5.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22867>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list