220

The website dropmail.me is able to successfully reidentify me (and offer my last used temp mail addresses via. "Restore access") despite doing the following:

  • Delete all my browsers history which includes cache, cookies, website settings, download history, search history, browser history and active logins. Basically everything that can be deleted through the Firefox menu. I'm using Firefox 52 ESR.
  • Use a VPN (that according to their claims is safe against IPv6 and DNS leaking) that I have not used when I previously visited this website.
  • Using uBlock Origin and uMatrix

Additional information:

  • My "identity" must somehow be bound to my current browser profile. When I use a different browser or a new browser profile, the website doesn't reidentify me as the same person. Actually, it is sufficient to use the Firefox addon Priv8 and create a new sandbox to be identified as a different person. This might indicate that there is some kind of storage for websites that can't be accessed or deleted though Firefox. (It's not Flash cookies, the website doesn't use Flash!)
  • (Update) Other browsers are not affected. Microsoft Edge, after deleting browser history, doesn't allow reidentification. This is a Firefox-only issue!

My questions are:

  • How on earth are they able to reidentify me? Since their only motivation to reidentify me is to offer access to previously used mail addresses, I don't think they use any "dark" techniques like fingerprinting, but of course it can't be ruled out.
  • How can I protect from this kind of "super-tracking" used by this website?
manuel
  • 2,018

3 Answers3

251

The website is using IndexedDB, for which MDN writes:

IndexedDB is a way for you to persistently store data inside a user's browser. Because it lets you create web applications with rich query abilities regardless of network availability, your applications can work both online and offline.

Not clearing it sounds like a bug in Firefox indeed, but apparently the developers feel otherwise. Like in March 2015, someone wrote:

But even when you delete all your history information the data from IndexedDB persist.

The right way to delete this data is by going to about:permissions address, look for the domain and pressing the Forget About This Site button.

While about:permissions does not work in my Firefox 55, going into Tools, Page Info, Permissions I get the button "Clear Storage":

Page Info dialog

Even worse, neither the greyed-out "Use Default: Always Ask" in the above screen capture, nor enabling "Tell you when a website asks to store data for offline use" in settings, Advanced, Network, have any effect to avoid storage:

Advanced settings

It seems the following from August 2011 may still apply (where "[only]" is added by me):

By default in Firefox 4, a site can use up to 50MB of IndexedDB storage. [Only] If it tries to use more than 50MB, Firefox will ask the user for permission [...]

In Firefox for mobile devices (Google Android and Nokia Maemo), Firefox will [only] ask for permission if a site tries to use more than 5MB [...]

To disable it altogether, go to about:config and disable dom.indexedDB.enabled. However, beware that such might affect plugins/add-ons as well, which seems to be why some want to remove that option, for which someone noted in May 2016:

Until IndexedDB is handled in the same way as cookies with respect to accepting/clearing and third-party behavior, this pref should exist.

(One may find dom.storage.enabled interesting too...)

Arjan
  • 31,511
57

As noted by Arjan it's unfortunately easy to leave site-data installed currently. This is improving somewhat with the preference UX redesign in FF57.

For example, under "Privacy and Security" there is now a "Site Data" section:

Redesigned Privacy & Security menu in Firefox 57

Clicking the site data "settings" will allow you to remove site-data for a specific origin:

Settings - Site Data

This will remove data stored in IDB, Cache API, etc. It will also remove cookies for the origin:

Removing site data for a specific site

(Sorry for not making this a comment under Arjan's answer, but I wanted to include these screenshots.)

Disclaimer: I am a Mozilla employee

Stevoisiak
  • 16,075
Ben Kelly
  • 679
5

Edit: Please read the comment by Ben Kelly before messing with any files in your profile.

Since there is no solution inside Firefox, one can easily implement a temporary fix for this outside of Firefox. IndexedDB files are stored in the directory <profile>/storage/default. By emptying this folder (for example though a scheduled script) you can recover full control over your data and how long it persists. Since each website is stored in a separate folder, you could even implement a whitelist/blacklist or basically every policy you want, given you have some programming experience.

It's not a nice solution and no excuse for Firefox developers to continue to postpone a proper solution for this. (Bugreports exist for years now!)

And be aware that the data format and location might change over time. For example, in a previous version, all IndexedDB data was stored in a single SQL file.

manuel
  • 2,018