[tor-bugs] #13398 [Tor Browser]: at startup, browser gleans user FULL NAME (real name, given name) from O/S

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Oct 13 15:05:59 UTC 2014 

#13398: at startup, browser gleans user FULL NAME (real name, given name) from O/S
-------------------------+--------------------------
 Reporter:  zinc         |          Owner:  tbb-team
     Type:  defect       |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor Browser  |        Version:
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+--------------------------
 (Reporting against Tor Browser 3.6.6, but this is a longstanding issue
 which affects all versions of the browser.)

 At each startup, code within nsUserInfoWin.cpp
 (see also: nsUserInfoUnix.cpp, nsUserInfoOS2.cpp, nsUserInfoMac.mm)
 scrapes user's FULL NAME (real name, given name) from the operating system
 and retains this in memory, stored to a constant, throughout the browser
 session.

 Additionally, the browser scrapes user's windows login username (and
 windows domain) along with his/her email address (if present, filled in
 within user's windows user account details). These personal details are
 similarly stored by the browser throughout the life of each browsing
 session.

 This privacy-infringing behavior is unconditional ~~ no user_pref is
 available to prevent it.

 In researching "How dare they?!?" I gathered that this behavior exists
 because Firefox shares a codebase with Thunderbird, and back in the day
 someone thought it would be "kewl" for a Thunderbird user to find that the
 system magically knows his/her details when setting up a new TB account...

 If challenged to prove/demonstrate where these details are ever "leaked"
 by the browser, I cannot. However, these personal details are accessible
 to any extension (or out-of-band Mozilla update) and therefore are subject
 to exfiltration.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13398>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list