[tor-bugs] #9220 [Tor]: Tor accessing LSOs

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jul 7 17:09:59 UTC 2013

#9220: Tor accessing LSOs
 Reporter:  cypherpunks  |          Owner:                               
     Type:  defect       |         Status:  new                          
 Priority:  major        |      Milestone:  TorBrowserBundle 2.3.x-stable
Component:  Tor          |        Version:  Tor:                
 Keywords:               |         Parent:                               
   Points:               |   Actualpoints:                               
 This may have been an isolated incidence, and I have not experienced it
 since July 3, but Colin C. at Tor help has suggested that I submit a
 ticket for this security breach.

 I have the latest full release Tor Browser Bundle installed for my Mac
 (2.3.25-10). After 'verifying' on July 3 that Tor was in use via
 https://check.torproject.org, I linked to the following, which raised
 alarm bells for me:

 Within Tor, the link opened a page with my e-mail address already in place
 for an action alert message that I was intending to send (but never did).

 My immediate response was to right-click the page and go to View Page info
 > Security > View Cookies > Remove All Cookies within Tor Browser/Firefox
 ESR 17.0.7. The problem of the embedded email address persisted on my next
 attempt to access the link within Tor despite having removed cookies this
 way and initiating a new identity via Vidalia.

 Later the same day, I discovered that LSOs had appeared out of nowhere on
 my computer sometime relatively recently, indeed just before the Tor use
 attempt I have described, above. (I check for LSOs daily.) Record of these
 LSOs was accessible via my Safari browser, showing up as such things as
 "Apple local storage" and "Local storage on your computer" (as well as a
 few others, including, I believe, salsalabs.com, which would have been
 generated within Safari via my linking to
 http://salsa3.salsalabs.com/dia/track.jsp + identifying code). And it was
 via my Safari browser that I was able to delete all the LSOs.

 After I deleted all the LSOs and repeated the link via Tor (with new
 identity and after deleting Firefox cookies, of course), the embedded
 email info. was blessedly absent.

 My burning question is, why would Tor be accessing LSOs?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9220>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list