[tbb-bugs] #13398 [Tor Browser]: at startup, browser gleans user FULL NAME (real name, given name) from O/S

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 13 15:05:59 UTC 2014

#13398: at startup, browser gleans user FULL NAME (real name, given name) from O/S
 Reporter:  zinc         |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
 (Reporting against Tor Browser 3.6.6, but this is a longstanding issue
 which affects all versions of the browser.)

 At each startup, code within nsUserInfoWin.cpp
 (see also: nsUserInfoUnix.cpp, nsUserInfoOS2.cpp, nsUserInfoMac.mm)
 scrapes user's FULL NAME (real name, given name) from the operating system
 and retains this in memory, stored to a constant, throughout the browser

 Additionally, the browser scrapes user's windows login username (and
 windows domain) along with his/her email address (if present, filled in
 within user's windows user account details). These personal details are
 similarly stored by the browser throughout the life of each browsing

 This privacy-infringing behavior is unconditional ~~ no user_pref is
 available to prevent it.

 In researching "How dare they?!?" I gathered that this behavior exists
 because Firefox shares a codebase with Thunderbird, and back in the day
 someone thought it would be "kewl" for a Thunderbird user to find that the
 system magically knows his/her details when setting up a new TB account...

 If challenged to prove/demonstrate where these details are ever "leaked"
 by the browser, I cannot. However, these personal details are accessible
 to any extension (or out-of-band Mozilla update) and therefore are subject
 to exfiltration.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13398>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list