Monday, 17 September 2018

Chrome/Chromium is storing the url and referrer of downloaded files in extended attributes

When I turned on extended attributes for a rsync command (-X option) I noticed that it proposed to copy attributes for a bunch of files it had not before. Most of those files appeared to be PDFs or zip files. So I wondered what those attributes were. Here is an example:

$ getfattr -d work/uC/asm7000.zip
# file: work/uC/asm7000.zip
user.xdg.origin.url="http://cd.textfiles.com/emspro1/ASMUTIL/ASM7000.ZIP"
user.xdg.referrer.url="http://cd.textfiles.com/emspro1/ASMUTIL/"


Oh! That's not good! The origin of this file is harmless, but what if it had been a file downloaded from a sensitive location or the URL contained sensitive parameters. I may want to give the file to somebody without revealing the URL I got it from, which may contain side channel information. You can imagine your own scenario.

I should add this is only an issue for you if you have enabled extended attributes on your filesystem and mounted with that option. Look for the option user_xattr in /etc/fstab lines. But maybe Android does enable extended attributes. That would be a big worry; your phone may be retaining information you didn't know about.

Doing a search found this recent Debian bug report with no resolution. Also these attributes are listed as in current use by freedesktop.org. And it looks like wget too stores the url. Update 2019-03-18: I have been informed that wget from 1.20.1 has options to control storage of the attributes.

This really should be behaviour that can be turned off in Chrome/Chromium. Until then, I'm not backing up extended attributes for my own files. You should also screen extended attributes in files you transfer to other systems.

It does have one use though. If you forgot where you got a file from, you can recover the URL.

Addendum: Here are some situations on Linux showing whether the extended attributes will be transferred and potentially revealed to others.
  • Email as attachment: Extended attributes are not included. But see archive files further on.
  • Zip archive: Extended attributes are not captured.
  • Tar archive: Extended attributes could be copied, depending on command line options and the compiled default. It seems to be not on by default on my system (openSUSE).
  • Transfer on DOS or Windows filesystem, e.g. flash storage: As far as I can tell these extended attributes are not stored on FAT or NTFS.
  • Transfer on CD/DVD: ISO9660 can store extended attributes but mkisofs doesn't seem to store these despite mention of GETXATTR and SETXATTR error message suppression. I haven't found information on UDF regarding extended attributes yet.
  • Transfer on external storage with Linux filesystem: This depends on whether the filesystem has user_xattr enabled and it is mounted with this enabled, and the copy command transfers it. cp -p doesn't but cp -a does. rsync without -X doesn't.
  • Uploaded to the cloud: This would depend on the client doing the upload. Also see here.
More testing is required. Send additions and corrections by commenting on this blog post.

No comments:

Post a Comment