2

I used Chrome in Sandboxie, and even after deleted contents of the sandbox, youtube.com still recommended videos for me, which based on vids I saw.

Only after I deleted all history in Chrome then youtube did not recommend these vids.

All of these actions are in sandbox, then how can youtube track user even when I delete all contents of the sandbox? At first I think youtube is based on my IP so deleting contents is useless. But youtube will not give those recommended vids when I deleted browsing history when browse in sandbox, which seems it is not based on my IP anymore?

There must be some info stored somewhere, because after deleting all contents, youtube should not be able to recognize any history, which will equivalent to delete browsing history.

I don't think youtube can penetrate sandboxie, so the only other option is that there is info stored in server. Someone can give it a try and explain it to me:

1/ Install chrome and sandboxie, both are free.

2/ Run Chrome in sandbox mode, go to youtube.com, search and watch some vids, e.g. martial art, so you tube will recommend those kind of vids to you.

3/ Delete all contents of sandbox.

4/ Run Chrome in sandbox again, go to youtube.com and you will see those recommended vids. How can this possible? youtube.com must recognize user based on IP or something else.

5/ Go to history, check and clear everything.

6/ Go back to youtube.com, those recommended vids disappear. How can this possible? Where did the recognition info be stored that cant be deleted?

user2174870
  • 1,378
  • 2
  • 11
  • 13

1 Answers1

-2
  • Chrome is generally not too secure

  • You have an IP address that is tracked, many general spam recommendations will be based on that

  • History is irrelevant and so are cookies (in this case), but cache is not

  • Your browser has an unique ID that you can be identified by (this is used by the very advanced trackers)

What to do:

  • Use a private browser instance (and I recommend you use Opera - way more secure)

  • Do not be logged in into absolutely anything (no google, fb, y, skype etc)

  • Use a web proxy on the private instance (Opera has extensions with multiple selectable big proxies - browsec as example)

  • Use an unique ID changer to identify your browser as a general version wide-spread one (yes, there's an extension for that too)

Overmind
  • 8,829
  • 3
  • 19
  • 28
  • None of your first 4 points seem to apply in the OP's case. Clearing history changed the behaviour ... – schroeder Nov 15 '16 at 07:28
  • 3
    `Chrome is generally not too secure` , Google will go bankrupt and chrome would die tomorrow ! – Gerorge Timber Nov 15 '16 at 18:27
  • 1
    @schroeder if the browser is stupid enough to read the general history in private mode it's clearly a security problem, which only confirms what I was stating above. – Overmind Nov 16 '16 at 08:19
  • 1
    @George check CISCO security site to see what I'm talking about. – Overmind Nov 16 '16 at 08:20
  • 3
    What I'm saying is that none of your points explain why clearing the history affected the behaviour. In fact, it seems like clearing the history would not have had any effect on your suggestions. So, it looks like you haven't answered the question at all, unless I missed how you are connecting the dots. (Note that private mode was not invoked, only a sandbox). – schroeder Nov 16 '16 at 17:37
  • 1
    If you don't have private mode on most of the things tracking-related are still active. There is no benefit to use sandbox if you're not on a private mode. – Overmind Feb 13 '17 at 13:42
  • "Your browser has an unique ID" Are you talking about browser fingerprinting? I wouldn't describe that as the browser having an ID. – Anders May 14 '17 at 12:23
  • I'm talking about user agent ID. – Overmind May 17 '17 at 09:26
  • Opera is way more secure... what? 0days for Opera cost... well low enough that I got one for free. 0days for Chrome/Chromium cost around $300,000 USD due to the extremely heavy sandboxing it uses and the huge amount of static and dynamic analysis it gets on a regular basis. Even Firefox (which is not too well designed, security-wise) is far ahead of Opera. – forest Feb 21 '18 at 09:23
  • Instead of making assumptions, check CISCO's vulnerability reports (the browser section). – Overmind Feb 21 '18 at 09:25
  • Vulnerability reports have nothing to do with the security of a given tool. This is well known. The reason is simply that more used programs have more people finding bugs. I can't remember the last IRIX CVE I've seen, but that doesn't mean I'd use IRIX over another modern UNIX system. It is not an assumption to state that a given browser has had more static and dynamic analysis and uses more hardening techniques (even CFI, apparently) than another. Pointing to vulnerability report numbers is a red herring. – forest Feb 21 '18 at 09:33
  • More found bugs --> higher chances to exploit the system. Basic logic. More people using it --> higher chances for them to be exploited. Basic logic also. – Overmind Feb 21 '18 at 09:35
  • [That is a incorrect.](https://security.stackexchange.com/q/147111/165253) Replace "CVE" with any security advisory of your choosing. – forest Feb 21 '18 at 09:36
  • That's only one aspect. Try to search for white hacking contests yearly. There's one browsers ending up the worst almost every year. – Overmind Feb 21 '18 at 09:43
  • Yes, it's usually Firefox which does not put much effort into securing things (read the Phrack article on Firefox and PresArena, the equivalent of Chrome's PartitionMalloc). The most secure, and in fact the only browser that can withstand an entire pwn2own contest, is Chrome. Opera is often not even tested as it is far less used. But still, even with Firefox the 0days are far more expensive (I've seen between $15k and $75k). The fact is, pointing to security advisory numbers as a measure of security is absurd. – forest Feb 21 '18 at 09:46
  • Er, PartitionAlloc, my bad. – forest Feb 21 '18 at 09:54
  • Not tested does not mean not secure. Opera's security only decreased a little after adopting the unified GUI. What do $ got to do with anything ? – Overmind Feb 21 '18 at 09:58
  • Not tested (as in static/dynamic testing) means less likely to be secure than something which is tested. As for money, it's a general way to see how valuable a 0day is. A little more accurate than CVE count. Obviously what really matters is security techniques and how difficult it is to find and exploit vulnerabilities. My point is that Chrome/Chromium uses significant security techniques (seccomp, chroot, AppContainer, namespaces, etc depending on OS), whereas Opera uses literally nothing for sandboxing or similar, last I checked. – forest Feb 21 '18 at 10:04
  • Not tested means you can only make assumptions. Nothing more. – Overmind Feb 21 '18 at 10:14
  • That's... not how it works. I'm not sure what part of this you don't get. Are you claiming that Opera is more secure because it is not tested as much, and therefore has less publicly published vulnerabilities? – forest Feb 21 '18 at 10:16
  • It work like this: field-tested in industrial environment of over 25k systems. Between 2009 and 2015, Opera was the most secure hands down and FF was the most exploited/vulnerable. I did not test anything in 2017 and not enough in 2016 to have relevant conclusions so I can't say at this point if things changed, but 7 years in a raw Opera was #1 in security (and innovation). Let's move to chat if you want to talk more. – Overmind Feb 21 '18 at 12:03
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/73511/discussion-between-forest-and-overmind). – forest Feb 22 '18 at 03:03