ios-search-and-stories icon indicating copy to clipboard operation
ios-search-and-stories copied to clipboard

Published 20 hours ago verified publisher icon duckduckgo

Clearing cookies/cache doesn't clear local storage - privacy risk

Open ryancastro opened this issue 8 years ago • 5 comments

On the IOS App if you force stop the DuckDuckGo Application and reopen it, HTML5 local storage is still stored. This allows websites to store session information in local storage, and have you trackable even after you've force-stopped the app.

Demo Steps:

  1. Navigate to : http://html5demos.com/storage in duckduckgo
  2. Save a value for local storage
  3. refresh the page (Value is still saved)
  4. Force stop the app in iOS and reopen it.
  5. Navigate to http://html5demos.com/storage

Result: Local storage value is still stored. Many websites use local storage for user tracking, and this presents a risk to users privacy.

Bonus fun - I also attempted to clear safari's history/cache/everything in settings, and the local storage data in DuckDuckGo persists.

Once a website has set localstorage data, it appears it will be there foreever, until duckduckgo is removed from the device.

ryancastro avatar Jun 01 '16 20:06 ryancastro

@ryancastro thanks for opening this thoroughly described issue. @nilnilnil any input here?

alohaas avatar Jun 07 '16 19:06 alohaas

hey @ryancastro thanks again for bringing this up. It looks like this one has been addressed and resolved already, so I'll be closing this one up.

While I'm at it, I'd like to invite you to our new forum to preview how we're improving programming-related searches. There are a lot of important tasks up for grabs that we'd like your help with, so feel free to and jump in.

edgesince84 avatar Jul 13 '16 19:07 edgesince84

Hey @edgesince84 , sorry I don't mean to be trouble but what commit resolved this issue? I didn't see any code changes that would fix this.

The commit referenced above fixed the android implementation of the bug, as it was present on both platforms. Was this closure a mistake, or have I missed committed code that resolved this for iOS?

ryancastro avatar Jul 14 '16 21:07 ryancastro

Thanks for checking @ryancastro. It does indeed look like this has been fixed for Android but not iOS yet. @sreilly Please feel free to re-close if I've missed something.

tagawa avatar Jul 20 '16 01:07 tagawa

https://github.com/duckduckgo/ios/pull/168 should hopefully close the issue.

SudoPlz avatar Sep 16 '16 21:09 SudoPlz