IndexDB's private directory not removed on browser shutdown in global private browsing mode
Just reported by a 김도훈_5791 (who's waiting for his gitlab account to be approved) on security@tpo.
If a website uses IndexDB in a private browsing window, the storage files are encrypted with a key kept in RAM only, and put in a directory called private.
This directory gets removed as soon as the PB window is closed.
Unfortunately, if the browser.privatebrowsing.autostart preference is true the private directory and its content are kept in place after browser shutdown.
Steps to reproduce:
- Remove
$TOR_BROWSER_HOME/Browser/TorBrowser/Data/Browser/profile.default/storage/privateif it exists - Launch the Tor Browser and visit https://people.torproject.org/~ma1/test/idb/
- Check that
$TOR_BROWSER_HOME/Browser/TorBrowser/Data/Browser/profile.default/storage/privatehas been (re)created - Quit the Tor Browser
Expected result: the private directory should have been deleted.
Actual result: the private directory and its obfuscated/encrypted content is still there.
The reporter believed this was a Tor Browser specific bug, "easy to fix" by backporting Firefox's "correct" behavior, but the bug actually affects Firefox as well if you flip the preference, which of course is true by default in the Tor Browser.
Actually retrieving data from the encrypted database or even knowing which website it belongs requires searching a frozen snapshot of the RAM for the IDB decryption keys, kept there during the browsing session. Furthermore you could always end in this situation if the browser just crashes, or if a determined and resourceful attacker manages to recover the encrypted files from the persistent storage after deletion. Nonetheless I think we want this deletion policy to work as reliably as possible in global PBM as well, for consistency sake if nothing else.
Opening a Mozilla bug too.