Safari 4’s Privacy Bug Should Raise Red Flags at Browser Makers

The Safari 4 beta is having a little bit of trouble cleaning up after itself, as has been revealed by C. Harwic on his blog. Safari 4 is still in beta, so it’s easy to forgive the browser for this rather sloppy housekeeping, which left gigabytes (!) of browsing data in weird places all over your filesystem, even after cleaning the caches or history. Still, this does raise a few questions.

Safari’s sloppy housekeeping

First, let’s take a look at what Safari 4 beta is doing wrong. For clarity purposes, I’ve decided to handle this on a point-by-point basis in a bulleted list.

  • ~/Library/Caches/Metadata/Safari: The /history folder in here does not get cleaned up properly, and it’s very hard to find out what gets deleted and wat doesn’t. Every page gets its own item, each of them about 4-200k in size.
  • ~/Library/PubSub/Feeds/: In this directory, the new Top Sites feature makes an XML file every time a Top Site webpage is changed or alterered; it checks these sites every 30 minutes. These files are never deleted.
  • /private/var/folders/et/etuAKaR1GTeV9DVeRGfst++++TI/-Caches-/com.apple.Safari/Webpage Previews/: This is the worst one of all. QuickLook keeps two images (small and large) for every site you’ve ever visited with the Safari 4 beta. All of them. They never get deleted, and comprised 2.03GB of space on Harwic’s machine. To make matters worse, this folder does not live in the user’s library; heck, not even in the root library, but in a hidden folder far away from everything else on the computer.

Safari 4 is obviously in beta, so it’s important to note that we are talking about unstable and unfinished software, so things like this are to be expected – albeit still extremely sloppy. So, the rest of this discussion is not about this specific case, but about privacy in a more general sense. Just so you know.

Red flags

As browsers become ever more featureful, and users demand ever more advanced technoloy, it also becomes ever the more hard to cover your tracks. I’m personally not afraid of any data that’s stored on my computers, but the fact of the matter remains that there are countless emberassing (but legally harmless) things that you might want to look up on the web.

Even though most browsers have a porn button these days, it is not far-fetched to assume that many people forget to activate it, and start browsing without porn mode activated. When they’re done browsing, and they realise they should’ve used The Button, they obviously want to cover their tracks by using the various empty cache/history/etc. buttons in their browsers. If these buttons, then, do not actually delete said sensitive information (as is the case in the above Safari 4 bug), then you’ve got yourself a privacy nightmare on your hands.

We all know that browsers are the number one attack vector for people with malicious intent, and this is something browser makers are aware of and try to mitigate. However, on top of that are things that may not fit in the classic idea of a browser security bug, but can still be classified as such. I think the Safari 4 beta story is definitely a good example of something like that.

I hope that this Safari 4 beta bug has raised some serious red flags at the various other browser makers, and that they, too, are now taking a serious look at their various caches and data storages to see if they are managed properly.

20 Comments

  1. 2009-05-26 4:30 am
    • 2009-05-26 4:51 am
      • 2009-05-26 6:34 am
      • 2009-05-26 10:30 am
    • 2009-05-26 11:05 am
  2. 2009-05-26 5:10 am
    • 2009-05-28 9:35 pm
  3. 2009-05-26 6:47 am
  4. 2009-05-26 7:06 am
    • 2009-05-26 7:44 am
      • 2009-05-26 2:42 pm
  5. 2009-05-26 8:25 am
    • 2009-05-26 9:14 am
  6. 2009-05-26 12:30 pm
    • 2009-05-26 2:55 pm
      • 2009-05-26 5:02 pm
        • 2009-05-26 11:47 pm
    • 2009-05-26 9:00 pm
  7. 2009-05-26 12:36 pm
  8. 2009-05-26 2:01 pm