Is QuotaManager a potential security issue?
-
Thanks. I was guessing it probably was a Chrome-based local storage technology of some sort, but hadn't yet checked my HDD to see if any other browsers had similar files. I rarely use Google Chrome, but I do have those 2 files in Google Chrome (created July 24, 2014 and last modified Nov. 8, 2014). Interestingly, although I use (chrome-based) Opera 28 to download the file I couldn't get from MEGA using Vivaldi, the QuotaManager files do not occur in my Opera 28 installation.
If those files do have to do with nonmember download quotas at MEGA, then that information surely must be stored in some other way in each browser that doesn't use this QuotaManager method… ...so I'm pretty sure you would find some Firefox file (maybe just a cookie?) updated with a MEGA download.
If you get a chance, I would still be interested to know if you find any identification of specific files downloaded from MEGA (or elsewhere) in any of your QuotaManager files.
I also wonder if you've looked into where other local storage files (e.g., "Flash cookies") are kept in Vivaldi/Chrome/Firefox, or any of your other browsers. IIRC, in Olde Opera they were/are kept in the pstorage folder.
An alternative approach to discovering that might be to use Piriform's CCleaner to see what it identifies for each browser. I'll probably try to do that as soon as I get a chance, but thought I'd mention it in case you might also want to try it.
Edit: BTW, I'm not so sure it has to do with rendering as much as local storage. Clearly the first site you mentioned is talking about what I mean (offline storage), and it appears the second site probably is as well, but a very technical implementation level, specifically with WebKit.
-
I'm not sure how MEGA stores or keeps track of that information - I checked for cookies from MEGA in Firefox and Vivaldi but this is all I could find:
It seems that it's set to delete itself when the browser closes, despite my preference to keep cookies. It also just appears to be a cookie keeping track of my location.
!
!
So I'm tempted to say MEGA's doing everything right, but I could also be biased.
! From what I understand about Flash's storage, Chrome browsers store it in the user's profile path, and other browsers rely on a 'shared' cache. I could also be completely wrong about this. But it looks like these are where Vivaldi, Chrome, and Firefox store Flash content:
! Vivaldi -
! %localappdata%\Vivaldi\User Data\Default\Pepper Data
! Chrome -
! %localappdata%\Google\Chrome\User Data\Default\Pepper Data
! Firefox and other non-PPAPI applications -
! %appdata%\Roaming\Macromedia
! Typing "about:cache" into Firefox's address bar might also be helpful. -
So I'm tempted to say MEGA's doing everything right, but I could also be biased.
Thanks for the checking you've done.
MEGA may very well be doing everything "right" in the sense that this method of keeping track of a quota may be a well established approach used in Chrome and at least some Chrome-based browsers, including Vivaldi (see below re Opera 28). To me it still seems like it shouldn't be placed in the same folder as user bookmarks, passwords, etc., but I suppose someone else could argue the same thing about the cookies files in the same folder. But my main concern wasn't so much is it "right" or "wrong", as "Is it (for the vast majority of users) an unrecognized security/privacy risk of some type, and if so, with what degree of severity.
After you posted, I finally got a chance to look at my own Vivaldi QuotaManager instance, and here's a screenshot to show where I found the MEGA data (notice it's in the OriginInfoTable, not the HostQuotaTable):
[attachment=1044]VivaldiQuotaManagerinDBBrowserforSQLitewithmega.co.nzlistedinOriginInfoTable.png[/attachment]
I don't really know what I'm doing when it comes to SQLite DB files, but I tried to find anything else I could inside the QuotaManager file, like a specific filename, and came up blank. So maybe the only risk is that QuotaManager could reveal that one has downloaded or attempted to download something from MEGA, but nothing more specific than that.
FWIW, the timestamps seen in the screenshot (last_modified_time and last_access_time) appear to be 17-digit Google Chrome values which convert as follows:
13073119312027744 = Fri, 10 April 2015 06.01.52 UTC (last_modified_time)
13073174247755401 = Fri, 10 April 2015 21.17.27 UTC (last_access_time)…So I guess a little more "personal" data is revealed there (about when one attempted a download), and maybe MEGA uses those timestamps to keep track of when a nonmember is again eligible to download.
I also discovered I was wrong about Opera 28, as it does, indeed, have a QuotaManager and QuotaManager-journal file. Furthermore, in Opera 28 it appears those 2 files were created at installation. The SQLite browser reveals one mega.co.nz entry under HostQuotaTable, and 2 mega.co.nz entries under OriginInfoTable. It's been too long since I used it to download that file from MEGA to recall the exact circumstances, so I'm not clear why there might be 2 mega.co.nz under OriginInfoTable.
But at any rate, I'm not finding any other specific info in QuotaManager other than the mega.co.nz entries and their timestamps (which I didn't bother to convert). The single entry under HostQuotaTable has an 11-digit number (10737418240) under quota that I thought might be a Unix timestamp but that would convert as Sat, 10 January 2004 13.37.04 UTC, so that wouldn't make sense, and I'm not sure what its exact significance might be. (It certainly wouldn't seem to compromise privacy :P)
I'll check what CCleaner identifies for different browsers when I get a chance and report back if anything seems relevant/useful.
Thanks again for your efforts to help sort it out.
Attachments:
-
You're welcome, I'm always happy to help. That, and, I too, quickly became interested in what QuotaManager is.
I opened it again in the SQLite browser when you pointed out I was looking in the wrong table, and when I switched to OriginInfo, I did find data. But there's more than just data from MEGA.
As for how CCleaner identifies different browsers - I'm not sure, and (short of Googling it, which wasn't helpful) I don't know how to find out. I do know that you can tell CCleaner to clean specific files or folders that it would otherwise ignore.
Here's some more information on that.
P.S. - When I said I thought MEGA was doing everything right, I meant correct vs incorrect - not right vs wrong / good vs bad.
-
I opened it again in the SQLite browser when you pointed out I was looking in the wrong table, and when I switched to OriginInfo, I did find data. But there's more than just data from MEGA.
Oh, good, I'm glad you checked that. So to me that indicates that the use of the QuotaManager technology is much more widespread than just MEGA.
From a little more reading at the first link you posted earlier it appears QuotaManager is standard Google Chrome technology, and maybe this is simply how what I think of as "persistent local storage" is handled in chromium-based browsers. But if so, like I said earlier, I would have thought it would be located somewhere else, most likely (based on the folder name) in Profile\Default\Storage or (User Data\Default\Storage in v1.0.151.7 and later) in standalone installations.
My CCleaner suggestion is trying to get at the same idea, based on where it already looks for files to potentially delete in various common browsers it is already set up to search, and looking in other browsers for the equivalent of "Flash cookies" (IIRC) in Olde Opera's pstorage folder. For example, if you use one of your non-chromium browsers (with NO QuotaManager files) to download from MEGA, I figure the same sort of quota data must be stored somewhere else (e.g., maybe in a simple cookie), and if we can track that quota technology down in each of several different browsers, we might better understand (or at least better hypothesize about) how the QuotaManager files work. I can't explain my CCleaner idea any better than that, but I'll still try what I have in mind as soon as I get a chance and post back with my findings.
BTW, I think we're on the same page re right/wrong being about correct/incorrect rather than moral good/bad, although maybe I would attach some "potential moral badness" to a potential security/privacy risk that isn't recognized by average users and isn't yet adequately "cleaned" by standard cleaning steps that cautious users mistakenly think are adequate (that seems poorly worded, but the best I can do right now). But that really is the whole point of my initial question: is this a privacy/security risk?
And if it is a privacy/security risk (even at a relatively low-danger level), I'm wondering if it is/isn't well-enough known, and/or well-enough cleaned by typical cleaning steps. For example, right now I don't know what happens to the QuotaManager files if a user chooses whatever built-in options already exist to delete all private data in any of the chromium-based browsers (maybe if you have time you could check that out in one or two of yours?). And I don't yet know if CCleaner, or the less well known BleachBit (or any other similar utilities), maybe already identify and provide an option to clean QuotaManager files.
So like I said, I'll try to do some more testing and report back, and if you (or anyone else) are inclined to take it further, I look forward to any additional findings from your end.
-
For example, right now I don't know what happens to the QuotaManager files if a user chooses whatever built-in options already exist to delete all private data in any of the chromium-based browsers (maybe if you have time you could check that out in one or two of yours?).
Okay, for this experiment, I used Maxthon Cloud Browser, Yandex, and (for the sake of diversity, and my own curiosity) the browser built into the Overwolf app. All of these are built with the Chromium rendering engine, all of them have a file in their directories called "QuotaManager."
Before and after for each of those files for:
!
Before:
!
! After:
! No change.!
Before:
!
! After:
! No change.!
Before:
!
! After:
! No change.I cleared all browsing data for every browser, and none of the data in those files was deleted.
-
I cleared all browsing data for every browser, and none of the data in those files was deleted.
Yes, thanks. That's a nice, quick test, and not an encouraging result from a max privacy perspective. :ohmy:
Of course, I guess I'm thinking about this almost in a forensic context (what could be found by someone who had access to the machine and the necessary tools to investigate). I guess no average user is going to "discover" what is in those files. It isn't like leaving a browsing history behind that can easily be viewed from within the browser.
-
And if it really is monitoring a quota so as to manage server loads, whoever writes it would be pretty foolish to let you cheat the system by clearing cache.
-
Very good point. I'd imagine that kind of information is stored server-side, but I have no idea.
-
I'm thinking more about privacy/security implications, but once I discovered my QuotaManager files were created when I attempted a Mega download, one of my first thoughts was "I wonder if someone could just delete the QuotaManager files in order to be able to download again sooner."
Seems like I tried deleting site cookies once 2-3 years ago to try to accomplish the same thing on some download site. Or maybe I tried a different browser. I don't recall if either of those ever worked, but it seems like on at least one occasion I ended up thinking maybe the server countdown timer was keeping track of my IP address, so it didn't work.
Edit: oops, this was a reply to Ayespy before Tiamarth's post, but I lost Vivaldi site access for a while when I tried to post it and had to reconstruct it… ...maybe getting a cosmic ding for thinking/sharing my evil download thoughts.
-
Just an update to this thread:
I just discovered Vivaldi's Quota Internals page at vivaldi://quota-internals. The page presents information on 3 tabs (Summary, Usage & Quota, and Data), with probably the most interesting being the Usage and Quota Database Browser on the Usage & Quota tab.
The following screenshot of my Usage & Quota tab was taken immediately after opening (in the far right tab) the same MEGA download page mentioned above in my OP, without actually starting the download, and then refreshing the Quota Internals page. (MEGA did not appear on the page prior to that, as I had not carried forward QuotaManager and QuotaManager-journal files from previous Vivaldi installations into my current installation.)
For the screenshot, I've opened the MEGA "folder" and a few other "folders" to illustrate the appearance of folders in open and closed states, and I've selected the MEGA "folder", which provides the MEGA summary in the upper right corner of the screenshot (Storage Type, Host Name, Origin URL, and Origin is in use?).
Currently the only data for this installation is in sub-folders of my temporary folder (several of which pertain to various installed extensions), with no data in my persistent or syncable folders, so I'm not sure exactly what might typically appear in those folders.
Finally, the third tab (Data) presents only a Dump button, but this Dump provides a text-based coded listing of all the information presented on the page (see spoiler below screenshot). Information presented on tab 1 (Summary) is listed in the first (Summary) and last (Misc Statistics) sections of the text listing, with tab 2 (Usage And Quota) listed in between those 2 sections.
[attachment=1185]VivaldiUsageandQuotaDatabaseBrowservivaldi__quota-internals.png[/attachment]
!
======== Summary ======== { "availableSpace": 3798810624 } ======== Usage And Quota ======== { "children": [ { "payload": { "type": "temporary", "unlimitedUsage": 0, "usage": 340019, "quota": 1266383547 }, "children": [ { "payload": { "host": "dhdgffkkebhmkfjojejmpbldmpobfkfo", "type": "temporary" }, "children": [ { "payload": { "host": "dhdgffkkebhmkfjojejmpbldmpobfkfo", "inUse": false, "origin": "chrome-extension://dhdgffkkebhmkfjojejmpbldmpobfkfo/", "type": "temporary", "usedCount": 0 } } ] }, { "payload": { "host": "fnbmdojpgjpmjjmnjdnbobcdhenmmgod", "type": "temporary" }, "children": [ { "payload": { "host": "fnbmdojpgjpmjjmnjdnbobcdhenmmgod", "inUse": true, "origin": "chrome-extension://fnbmdojpgjpmjjmnjdnbobcdhenmmgod/", "type": "temporary", "lastAccessTime": 1430480544996.764, "lastModifiedTime": 1430480545189.764, "usedCount": 3 } } ] }, { "payload": { "host": "gcalenpjmijncebpfijmoaglllgpjagf", "type": "temporary" }, "children": [ { "payload": { "host": "gcalenpjmijncebpfijmoaglllgpjagf", "inUse": false, "origin": "chrome-extension://gcalenpjmijncebpfijmoaglllgpjagf/", "type": "temporary", "usedCount": 0 } } ] }, { "payload": { "host": "klbibkeccnjlkjkiokjodocebajanakg", "type": "temporary" }, "children": [ { "payload": { "host": "klbibkeccnjlkjkiokjodocebajanakg", "inUse": false, "origin": "chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/", "type": "temporary", "lastAccessTime": 1430464829841.355, "lastModifiedTime": 1430464690720.622, "usedCount": 4 } } ] }, { "payload": { "host": "444.hu", "type": "temporary" }, "children": [ { "payload": { "host": "444.hu", "inUse": false, "origin": "http://444.hu/", "type": "temporary", "usedCount": 0 } } ] }, { "payload": { "host": "mega.co.nz", "type": "temporary", "usage": 0 }, "children": [ { "payload": { "host": "mega.co.nz", "inUse": true, "origin": "https://mega.co.nz/", "type": "temporary" } } ] }, { "payload": { "host": "www.google.com", "type": "temporary" }, "children": [ { "payload": { "host": "www.google.com", "inUse": false, "origin": "https://www.google.com/", "type": "temporary", "usedCount": 0 } } ] } ] }, { "payload": { "type": "persistent", "unlimitedUsage": 0, "usage": 0 } }, { "payload": { "type": "syncable", "unlimitedUsage": 0, "usage": 0 } } ] } ======== Misc Statistics ======== { "errors-on-evicting-origin": "0", "errors-on-getting-usage-and-quota": "0", "evicted-origins": "0", "eviction-rounds": "37", "skipped-eviction-rounds": "37" } >! ``` BTW, I just realized I never got back to my promised experiment with CCleaner. I'll still try to do that at some point when I have enough time, and post back if any results are illuminating. Attachments: ![](https://forum.vivaldi.net/uploads/attachments/40170/VivaldiUsageandQuotaDatabaseBrowservivaldi__quota-internals.png)