Firefox and Chrome Private Browsing Not So Private


Recently, Chad Tilbury posted a blog article on Flash Cookie Forensics. If you didn’t already know, Adobe Flash stores cookies (actually called LSO’s) on your computer that act more or less like regular HTTP cookies, except they never expire. This got me thinking about the built-in private browsing settings found in the current versions of Firefox (3.5.2) and Chrome (2.0). Both of these browsers have an easy to use private browsing setting that block histories, HTTP cookies, form data, etc. In Firefox, private browsing is called “Private Browsing”, and Chrome has “Incognito” mode. After reading this article, I began wondering just how private Firefox’s and Chrome’s privacy settings were when it comes to Flash cookies. A couple of simple tests showed me that there isn’t much privacy at all.

The tests were simple: locate the storage of Flash cookies (as demonstrated in Chad Tilbury’s article), and see if cookies are being saved while browsing in Firefox’s Private Browsing mode, and in Google Chrome’s Incognito mode. Here is a screenshot of the Flash cookies stored on my computer before I began internet surfing in Firefox:

Firefox Private Browsing Before Surfing the Net

Firefox Private Browsing Before Surfing the Net

And here is a screenshot of the stored Flash cookies after I surfed to hulu.com in Firefox Private Browsing mode:

Firefox Private Browsing after Surfing to Hulu

Firefox Private Browsing after Surfing to Hulu

As you can see, even when using Firefox Private Browsing, Flash cookies are saved to the computer. Let’s see how well Google Chrome’s Incognito mode does. Here is a before screenshot, with Chrome cracked open in Incognito mode and ready to surf:

Google Chrome in Incognito Before Surfing

Google Chrome in Incognito Before Surfing

After surfing to hulu.com in Chrome Incognito, the Flash cookie was clearly stored on my computer:

Google Chrome Incognito after Surfing to Hulu

Google Chrome Incognito after Surfing to Hulu

The problem really shouldn’t be a surprise based on how Flash cookies work, and I am not reporting any thing new. It might not really be the browsers’ fault. Flash cookies aren’t handled by Chrome or Firefox, and thus the browser has no way to block them (as far as I understand it). Still, the private browsing features in Chrome and Firefox are a complete false sense of privacy and security. One might make the argument that both browsers should be able to build in protection against Flash cookies. As Chad mentions in his article, Firefox has an add-on called BetterPrivacy that can manage Flash cookies, and No Script blocks Flash completely, so if an add-on can do it, why can’t it be built into the browser? By the way, as far as I can tell, there isn’t a similar add-on for Chrome.

(This article is dedicated to my friend, John.)

Update: For a follow up on how to block Flash Cookies, and a better implementation of Flash called Gnash, see my article Blocking Flash Cookies (and Improved Security with Gnash.

About these ads

5 Responses

  1. [...] } A couple of months ago, I wrote about some simple tests that showed the lack of privacy in Chrome’s Incognito mode, and Firefox’s Private Browsi…. Both browsers boast a privacy setting that will not save any of your surfing activity on your [...]

  2. Hi,

    Adobe Flash Player 10.1, currently in beta on Adobe Labs (labs.adobe.com/technologies/flashplayer10), now supports private browsing mode. For more information, see http://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10.1.html

    Regards,
    Emmy Huang
    Group Product Manager, Adobe Flash Player
    blogs.adobe.com/emmy

  3. There is obviously a lot to learn. There are some good points here.

    -Robert Shumake

  4. Thanks for that update, Emmy.

  5. If you think that’s bad, wait till you find the sqlite folders on your machine that house all kinds of private data, compliments of Firefox and Google! Just, for starters, do a search on your hard drive for places.sqlite. Even if you clean up these tracks with a cleaner like CCleaner, Firefox will recreate the sqlite folders–and in many cases will repopulate them with content you thought you had removed! Very disturbing, especially when the browsers CLAIM that you are browsing in PRIVATE MODE! Even if you tell your Mozilla based browser to NOT save any History or Bookmarks or Cookies, your machine is doing all this databasing behind your back–and to what end? WHO will read those databased files?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: