Is QuotaManager a potential security issue?
-
I recently noticed the puzzling presence of 2 new files in my 32-bit Win7 Vivaldi v1.0.142.32 standalone installation Profile/Default folder: [b]QuotaManager[/b] and [b]QuotaManager-journal[/b] I was puzzled about these 2 files as they not only didn't occur in any previous installation, but they also didn't appear in the more recent v1.0.151.7. Furthermore, they were created 7 days after the rest of the files in that profile and last modified a few hours after they were created. So I downloaded [url=http://sqlitebrowser.org/]DB Browser for SQLite[/url] and used it to examine the files, only to learn they were associated with an attempted download from [url=https://mega.co.nz/#!txIEFKCD!e056bT4WW5Gz1HpX4LWSTGreuUlJpwi_uL66S_WRaYk]MEGA[/url]. (I say "attempted" because Vivaldi did nothing when I clicked on the MEGA download button, and I had to use a different browser to successfully download. I think the files may have been last modified a few hours after they were initially created because I may have attempted the download twice, but I don't recall for sure.) So from my understanding there are 2 related potential "security" issues here: b[/b] this seems to be some sort of information stored by the website on the local machine (maybe having to do with MEGA nonmember download quotas ?), similar to Flash cookies or other local storage files b[/b] about which I have never heard (and I'm guessing most other users haven't either), and b[/b] which I don't think most users would have any clue about needing to delete if they are concerned about personal privacy on their machine, and b[/b] a kind of user tracking by MEGA that most users would know nothing about; ...and: b[/b] a "violation"/"contamination" of one's Vivaldi user profile under the control of the MEGA site, but somehow abetted by Vivaldi's (Chrome's ?) programming. (If nothing else, it seems like it should be placed, if anywhere, perhaps in \Profile\Default\Storage, or \User Data\Default\Storage in v1.0.151.7 and later.) I'm not particularly alarmed by this; just trying to raise the question... ...And I'm sure someone more knowledgeable in security matters can also figure out how to better word the question.
-
I'm a user of MEGA, and I've recommended it to people who needed cloud storage in the past. Although I've never noticed those files before, a Google search didn't really return much helpful information. I scanned them both with Comodo and Avast, and both registered as safe. The only thing I can think of is what you mentioned already - that they're used to keep track of download quotas. Which makes sense, because you only get 10GB of free bandwidth for downloading files from MEGA.
I could be wrong, but I don't think there's any cause for concern here.
-
I don't mean malware.
I just mean personal security/privacy on one's own local machine and, to a lesser degree, in terms of being unknowingly tracked by a site (MEGA). Many users want to prevent tracking as much as possible, and want tight control over whether cookies (and what type of cookies), Flash cookies (usually in Local Storage), etc. are even allowed on their machine. And many users want to delete cookies, Flash cookies, browsing history, cache files, etc. for privacy upon exiting their browser.
But I doubt the vast majority of users would have a clue the the QuotaManager and QuotaManager-journal files are created when downloading from MEGA and remain behind in their profile, would have no clue what is contained in the files, and would have no clue that the files needed to be deleted to erase browsing tracks on their local machine.
Initially, I also imagined the files contained records of what was actually downloaded, which also might be a concern to some users. But now I realize I didn't actually explored the SQLite DB carefully enough to establish that, as I stopped looking once I found the MEGA URL in the file.
[[b]@Tiamarth: If you have time and inclination, and do enough downloading from MEGA, maybe you could check to see if specific downloads are identified (e.g., using DB Browser for SQLite). And if you use other similar sites, are their URLs (and perhaps specific downloads?) also contained in the QuotaManager files?]
If the QuotaManager files are created simply to track download quotas (which seems entirely plausible and a necessary function for such a site) I wonder how widespread is the use of the particular quota tracking technology involved (numerous sites track such nonmember download quotas, but I've always assumed it was done with a simple timestamped cookie). If one downloads from several such sites do they all use this same quota technology and the same 2 QuotaManager and QuotaManager-journal files, or is this unique to MEGA? If it is common usage, I think users concerned with post-browsing privacy would need to know those files exist and need to be deleted/shredded.
But to me it somehow seems more invasive that the quota tracking is lumped in with the files in my personal profile folder that I backup and copy to new installations. It certainly isn't part of my browser profile that I want to backup and transfer to a new installation any more than Flash cookies or other local storage, and it seems to me it doesn't belong in that folder (although I usually do backup and transfer my browsing history as well as cookies if they include login data I want to preserve).
-
I really thought it odd that I could be using MEGA so long and never knew that it created these files, so I decided to run a search for "QuotaManager" in explorer and see if those files were anywhere else in other browsers' folders. After-all, I use a lot of browsers and frequently use MEGA and some other cloud services, so I would think files with the same names would be elsewhere on my harddrive. I was right, but interestingly, they're only in folders for Chromium browsers.
You know from another thread that I have 25 browsers installed on my machine, and I do use all of them. However, my most used browsers are Vivaldi, Maxthon Cloud Browser, and Mozilla Firefox (in that order). Vivaldi and Maxthon use the Chromium rendering engine, and they both contain "QuotaManager" and "QuotaManager-Journal." Firefox does not. Just to be sure that I hadn't cleared my cookies, I opened Firefox, went to MEGA, and downloaded some files - but QuotaManager wasn't created anywhere in its folders.
Even browsers built-in to apps like Overwolf and Steam had those files in their folders.
!
Which led me to believe that whatever these files are or do, they're related to how Chromium stores information on users' machines. I Googled, "chromium quota manager" based on that idea, and I came up with this website - and this thread on Chromium's issue list.
So it looks like they have something to do with how the rendering engine operates, which I know very little about. I'm afraid I probably won't be of much more help here.
-
Thanks. I was guessing it probably was a Chrome-based local storage technology of some sort, but hadn't yet checked my HDD to see if any other browsers had similar files. I rarely use Google Chrome, but I do have those 2 files in Google Chrome (created July 24, 2014 and last modified Nov. 8, 2014). Interestingly, although I use (chrome-based) Opera 28 to download the file I couldn't get from MEGA using Vivaldi, the QuotaManager files do not occur in my Opera 28 installation.
If those files do have to do with nonmember download quotas at MEGA, then that information surely must be stored in some other way in each browser that doesn't use this QuotaManager method… ...so I'm pretty sure you would find some Firefox file (maybe just a cookie?) updated with a MEGA download.
If you get a chance, I would still be interested to know if you find any identification of specific files downloaded from MEGA (or elsewhere) in any of your QuotaManager files.
I also wonder if you've looked into where other local storage files (e.g., "Flash cookies") are kept in Vivaldi/Chrome/Firefox, or any of your other browsers. IIRC, in Olde Opera they were/are kept in the pstorage folder.
An alternative approach to discovering that might be to use Piriform's CCleaner to see what it identifies for each browser. I'll probably try to do that as soon as I get a chance, but thought I'd mention it in case you might also want to try it.
Edit: BTW, I'm not so sure it has to do with rendering as much as local storage. Clearly the first site you mentioned is talking about what I mean (offline storage), and it appears the second site probably is as well, but a very technical implementation level, specifically with WebKit.
-
I'm not sure how MEGA stores or keeps track of that information - I checked for cookies from MEGA in Firefox and Vivaldi but this is all I could find:
It seems that it's set to delete itself when the browser closes, despite my preference to keep cookies. It also just appears to be a cookie keeping track of my location.
!
!
So I'm tempted to say MEGA's doing everything right, but I could also be biased.
! From what I understand about Flash's storage, Chrome browsers store it in the user's profile path, and other browsers rely on a 'shared' cache. I could also be completely wrong about this. But it looks like these are where Vivaldi, Chrome, and Firefox store Flash content:
! Vivaldi -
! %localappdata%\Vivaldi\User Data\Default\Pepper Data
! Chrome -
! %localappdata%\Google\Chrome\User Data\Default\Pepper Data
! Firefox and other non-PPAPI applications -
! %appdata%\Roaming\Macromedia
! Typing "about:cache" into Firefox's address bar might also be helpful. -
So I'm tempted to say MEGA's doing everything right, but I could also be biased.
Thanks for the checking you've done.
MEGA may very well be doing everything "right" in the sense that this method of keeping track of a quota may be a well established approach used in Chrome and at least some Chrome-based browsers, including Vivaldi (see below re Opera 28). To me it still seems like it shouldn't be placed in the same folder as user bookmarks, passwords, etc., but I suppose someone else could argue the same thing about the cookies files in the same folder. But my main concern wasn't so much is it "right" or "wrong", as "Is it (for the vast majority of users) an unrecognized security/privacy risk of some type, and if so, with what degree of severity.
After you posted, I finally got a chance to look at my own Vivaldi QuotaManager instance, and here's a screenshot to show where I found the MEGA data (notice it's in the OriginInfoTable, not the HostQuotaTable):
[attachment=1044]VivaldiQuotaManagerinDBBrowserforSQLitewithmega.co.nzlistedinOriginInfoTable.png[/attachment]
I don't really know what I'm doing when it comes to SQLite DB files, but I tried to find anything else I could inside the QuotaManager file, like a specific filename, and came up blank. So maybe the only risk is that QuotaManager could reveal that one has downloaded or attempted to download something from MEGA, but nothing more specific than that.
FWIW, the timestamps seen in the screenshot (last_modified_time and last_access_time) appear to be 17-digit Google Chrome values which convert as follows:
13073119312027744 = Fri, 10 April 2015 06.01.52 UTC (last_modified_time)
13073174247755401 = Fri, 10 April 2015 21.17.27 UTC (last_access_time)…So I guess a little more "personal" data is revealed there (about when one attempted a download), and maybe MEGA uses those timestamps to keep track of when a nonmember is again eligible to download.
I also discovered I was wrong about Opera 28, as it does, indeed, have a QuotaManager and QuotaManager-journal file. Furthermore, in Opera 28 it appears those 2 files were created at installation. The SQLite browser reveals one mega.co.nz entry under HostQuotaTable, and 2 mega.co.nz entries under OriginInfoTable. It's been too long since I used it to download that file from MEGA to recall the exact circumstances, so I'm not clear why there might be 2 mega.co.nz under OriginInfoTable.
But at any rate, I'm not finding any other specific info in QuotaManager other than the mega.co.nz entries and their timestamps (which I didn't bother to convert). The single entry under HostQuotaTable has an 11-digit number (10737418240) under quota that I thought might be a Unix timestamp but that would convert as Sat, 10 January 2004 13.37.04 UTC, so that wouldn't make sense, and I'm not sure what its exact significance might be. (It certainly wouldn't seem to compromise privacy :P)
I'll check what CCleaner identifies for different browsers when I get a chance and report back if anything seems relevant/useful.
Thanks again for your efforts to help sort it out.
Attachments:
-
You're welcome, I'm always happy to help. That, and, I too, quickly became interested in what QuotaManager is.
I opened it again in the SQLite browser when you pointed out I was looking in the wrong table, and when I switched to OriginInfo, I did find data. But there's more than just data from MEGA.
As for how CCleaner identifies different browsers - I'm not sure, and (short of Googling it, which wasn't helpful) I don't know how to find out. I do know that you can tell CCleaner to clean specific files or folders that it would otherwise ignore.
Here's some more information on that.
P.S. - When I said I thought MEGA was doing everything right, I meant correct vs incorrect - not right vs wrong / good vs bad.
-
I opened it again in the SQLite browser when you pointed out I was looking in the wrong table, and when I switched to OriginInfo, I did find data. But there's more than just data from MEGA.
Oh, good, I'm glad you checked that. So to me that indicates that the use of the QuotaManager technology is much more widespread than just MEGA.
From a little more reading at the first link you posted earlier it appears QuotaManager is standard Google Chrome technology, and maybe this is simply how what I think of as "persistent local storage" is handled in chromium-based browsers. But if so, like I said earlier, I would have thought it would be located somewhere else, most likely (based on the folder name) in Profile\Default\Storage or (User Data\Default\Storage in v1.0.151.7 and later) in standalone installations.
My CCleaner suggestion is trying to get at the same idea, based on where it already looks for files to potentially delete in various common browsers it is already set up to search, and looking in other browsers for the equivalent of "Flash cookies" (IIRC) in Olde Opera's pstorage folder. For example, if you use one of your non-chromium browsers (with NO QuotaManager files) to download from MEGA, I figure the same sort of quota data must be stored somewhere else (e.g., maybe in a simple cookie), and if we can track that quota technology down in each of several different browsers, we might better understand (or at least better hypothesize about) how the QuotaManager files work. I can't explain my CCleaner idea any better than that, but I'll still try what I have in mind as soon as I get a chance and post back with my findings.
BTW, I think we're on the same page re right/wrong being about correct/incorrect rather than moral good/bad, although maybe I would attach some "potential moral badness" to a potential security/privacy risk that isn't recognized by average users and isn't yet adequately "cleaned" by standard cleaning steps that cautious users mistakenly think are adequate (that seems poorly worded, but the best I can do right now). But that really is the whole point of my initial question: is this a privacy/security risk?
And if it is a privacy/security risk (even at a relatively low-danger level), I'm wondering if it is/isn't well-enough known, and/or well-enough cleaned by typical cleaning steps. For example, right now I don't know what happens to the QuotaManager files if a user chooses whatever built-in options already exist to delete all private data in any of the chromium-based browsers (maybe if you have time you could check that out in one or two of yours?). And I don't yet know if CCleaner, or the less well known BleachBit (or any other similar utilities), maybe already identify and provide an option to clean QuotaManager files.
So like I said, I'll try to do some more testing and report back, and if you (or anyone else) are inclined to take it further, I look forward to any additional findings from your end.
-
For example, right now I don't know what happens to the QuotaManager files if a user chooses whatever built-in options already exist to delete all private data in any of the chromium-based browsers (maybe if you have time you could check that out in one or two of yours?).
Okay, for this experiment, I used Maxthon Cloud Browser, Yandex, and (for the sake of diversity, and my own curiosity) the browser built into the Overwolf app. All of these are built with the Chromium rendering engine, all of them have a file in their directories called "QuotaManager."
Before and after for each of those files for:
!
Before:
!
! After:
! No change.!
Before:
!
! After:
! No change.!
Before:
!
! After:
! No change.I cleared all browsing data for every browser, and none of the data in those files was deleted.
-
I cleared all browsing data for every browser, and none of the data in those files was deleted.
Yes, thanks. That's a nice, quick test, and not an encouraging result from a max privacy perspective. :ohmy:
Of course, I guess I'm thinking about this almost in a forensic context (what could be found by someone who had access to the machine and the necessary tools to investigate). I guess no average user is going to "discover" what is in those files. It isn't like leaving a browsing history behind that can easily be viewed from within the browser.
-
And if it really is monitoring a quota so as to manage server loads, whoever writes it would be pretty foolish to let you cheat the system by clearing cache.
-
Very good point. I'd imagine that kind of information is stored server-side, but I have no idea.
-
I'm thinking more about privacy/security implications, but once I discovered my QuotaManager files were created when I attempted a Mega download, one of my first thoughts was "I wonder if someone could just delete the QuotaManager files in order to be able to download again sooner."
Seems like I tried deleting site cookies once 2-3 years ago to try to accomplish the same thing on some download site. Or maybe I tried a different browser. I don't recall if either of those ever worked, but it seems like on at least one occasion I ended up thinking maybe the server countdown timer was keeping track of my IP address, so it didn't work.
Edit: oops, this was a reply to Ayespy before Tiamarth's post, but I lost Vivaldi site access for a while when I tried to post it and had to reconstruct it… ...maybe getting a cosmic ding for thinking/sharing my evil download thoughts.
-
Just an update to this thread:
I just discovered Vivaldi's Quota Internals page at vivaldi://quota-internals. The page presents information on 3 tabs (Summary, Usage & Quota, and Data), with probably the most interesting being the Usage and Quota Database Browser on the Usage & Quota tab.
The following screenshot of my Usage & Quota tab was taken immediately after opening (in the far right tab) the same MEGA download page mentioned above in my OP, without actually starting the download, and then refreshing the Quota Internals page. (MEGA did not appear on the page prior to that, as I had not carried forward QuotaManager and QuotaManager-journal files from previous Vivaldi installations into my current installation.)
For the screenshot, I've opened the MEGA "folder" and a few other "folders" to illustrate the appearance of folders in open and closed states, and I've selected the MEGA "folder", which provides the MEGA summary in the upper right corner of the screenshot (Storage Type, Host Name, Origin URL, and Origin is in use?).
Currently the only data for this installation is in sub-folders of my temporary folder (several of which pertain to various installed extensions), with no data in my persistent or syncable folders, so I'm not sure exactly what might typically appear in those folders.
Finally, the third tab (Data) presents only a Dump button, but this Dump provides a text-based coded listing of all the information presented on the page (see spoiler below screenshot). Information presented on tab 1 (Summary) is listed in the first (Summary) and last (Misc Statistics) sections of the text listing, with tab 2 (Usage And Quota) listed in between those 2 sections.
[attachment=1185]VivaldiUsageandQuotaDatabaseBrowservivaldi__quota-internals.png[/attachment]
!
======== Summary ======== { "availableSpace": 3798810624 } ======== Usage And Quota ======== { "children": [ { "payload": { "type": "temporary", "unlimitedUsage": 0, "usage": 340019, "quota": 1266383547 }, "children": [ { "payload": { "host": "dhdgffkkebhmkfjojejmpbldmpobfkfo", "type": "temporary" }, "children": [ { "payload": { "host": "dhdgffkkebhmkfjojejmpbldmpobfkfo", "inUse": false, "origin": "chrome-extension://dhdgffkkebhmkfjojejmpbldmpobfkfo/", "type": "temporary", "usedCount": 0 } } ] }, { "payload": { "host": "fnbmdojpgjpmjjmnjdnbobcdhenmmgod", "type": "temporary" }, "children": [ { "payload": { "host": "fnbmdojpgjpmjjmnjdnbobcdhenmmgod", "inUse": true, "origin": "chrome-extension://fnbmdojpgjpmjjmnjdnbobcdhenmmgod/", "type": "temporary", "lastAccessTime": 1430480544996.764, "lastModifiedTime": 1430480545189.764, "usedCount": 3 } } ] }, { "payload": { "host": "gcalenpjmijncebpfijmoaglllgpjagf", "type": "temporary" }, "children": [ { "payload": { "host": "gcalenpjmijncebpfijmoaglllgpjagf", "inUse": false, "origin": "chrome-extension://gcalenpjmijncebpfijmoaglllgpjagf/", "type": "temporary", "usedCount": 0 } } ] }, { "payload": { "host": "klbibkeccnjlkjkiokjodocebajanakg", "type": "temporary" }, "children": [ { "payload": { "host": "klbibkeccnjlkjkiokjodocebajanakg", "inUse": false, "origin": "chrome-extension://klbibkeccnjlkjkiokjodocebajanakg/", "type": "temporary", "lastAccessTime": 1430464829841.355, "lastModifiedTime": 1430464690720.622, "usedCount": 4 } } ] }, { "payload": { "host": "444.hu", "type": "temporary" }, "children": [ { "payload": { "host": "444.hu", "inUse": false, "origin": "http://444.hu/", "type": "temporary", "usedCount": 0 } } ] }, { "payload": { "host": "mega.co.nz", "type": "temporary", "usage": 0 }, "children": [ { "payload": { "host": "mega.co.nz", "inUse": true, "origin": "https://mega.co.nz/", "type": "temporary" } } ] }, { "payload": { "host": "www.google.com", "type": "temporary" }, "children": [ { "payload": { "host": "www.google.com", "inUse": false, "origin": "https://www.google.com/", "type": "temporary", "usedCount": 0 } } ] } ] }, { "payload": { "type": "persistent", "unlimitedUsage": 0, "usage": 0 } }, { "payload": { "type": "syncable", "unlimitedUsage": 0, "usage": 0 } } ] } ======== Misc Statistics ======== { "errors-on-evicting-origin": "0", "errors-on-getting-usage-and-quota": "0", "evicted-origins": "0", "eviction-rounds": "37", "skipped-eviction-rounds": "37" } >! ``` BTW, I just realized I never got back to my promised experiment with CCleaner. I'll still try to do that at some point when I have enough time, and post back if any results are illuminating. Attachments: 
