Adobe Flash, Apple Safari fail privacy test

McKinley, a researcher at iSec Partners, created a tool for testing the functionality of clearing private data after a browser session and browsing in private mode and found that some browsers -- most notably Apple's Safari for Windows -- do a poor job of wiping traces of a browser session.

[ SEE: Microsoft confirms ‘InPrivate’ IE 8 ]

McKinley warns (.pdf):

Third party plug-ins like Adobe Flash, which is far more popular than any individual browser or platform, seem to undermine the data protection schemes offered by all common browsers, however. While browsers are introducing more features with privacy implications, such as persistent local storage, they have mostly integrated the management of this type of information into a single location. When users want to ensure their privacy with respect to information stored via the browser standard methods, they can go to a single location to clear the data, use a separate browser, or use a working private browsing mode, if available.

Plug-ins need to take extra steps to ensure the privacy of their users. The clear best practices in this area, as exemplified by Google’s Gears, prompts users before allowing a site to store data on their system, holds a per-browser data store, and integrates their management UI into the browser UI. Adobe Flash does none of these things, instead silently allowing web sites to store data, uses one global data store for all browsers, and uses a settings UI accessible only when the user is connected to the Internet.

[ SEE: Major Web browsers fail password protection tests ]

She called on browser vendors and plug-in vendors to cooperate to make their platforms more trustworthy:

A set of standard APIs to communicate the need for plug-ins to clear data for a particular origin, all sites, or even a date range needs to be developed, and its use required of all plugins. In the absence of these APIs, plugins which require use of any local system resources should prompt before allowing web sites to store data locally, and integrate the management of interface into the standard browser API.

In the study, McKinley tested the data storage on modern browsers, including HTTP cookies, HTML 5 session storage, Mozilla Firefox perisistent storage, HTML 5 database storage, IE userData, Adobe Flash and Google Gears.

[ SEE: Firefox scrambles to add ‘private mode’ browsing ]

Apple's Safari on Windows, which offers a "Private Browsing" option, did not fare well:

The HTML 5 Database store on Safari is not cleared when resetting the private data, the user must go to their preferences and select Security, then click the “Show Databases” button on that tab to review or delete databases. For IE 8 Beta 2, the browser must be closed to actually clear the data for the running instance. In each of these cases, it is necessary to perform additional actions to effectively clear this data.

And more:

Safari on Windows fared the worst of all in [tests] with respect to private browsing, and did not clear any data at all, either before entering or after exiting the private mode. On OS X, Safari’s behavior was quirky; in no case was the HTML 5 database storage cleared before or after private browsing. Previously set cookies seem to continue to be available if the user entered a private browsing session, but if the user started the browser and went directly into private browsing, it seemed to behave as expected.

* Image source: 253C.  Hat tip to NYT's Brad Stone.