Browzar – A False Sense of Security

When I first read about Browzar, I was impressed by the hype. After further investigation, I found the product to be easy to use…no installation required and with the simplest and most straightforward of interfaces. A perfect browser for most people…just so long as you don’t expect to actually protect your privacy. After downloading Browzar, I went to a couple of websites trying to exercise their browser in various areas likejavascript compatibility, css support and so on. Browzar worked flawlessly but there was something bothering me. Up till this point, it had not occurred to me that they were just hosting the IE web browser ActiveX control. I guess I should have realized this fact from the size of the download. Once I realized they were just using Internet Explorer, I knew that it couldn’t possibly be as safe as they were claiming. So I started digging deeper…

Browzar Home Page

Browzar claims that it doesn’t keep a browsing history, stored files, cookies and avoids the auto-complete feature built-in to IE. It turns out that it that they were right about the stored files, cookies and auto-complete history.

But it does keep a browsing history. It seems that since they are using an embedded copy of IE, they can get around almost everything else, but the index.dat file created by the IE object and its libraries still exists and keeps a record of your entire browsing history. After looking at the FAQ on the Browzar site, they even acknowledge this fact but they add the disclaimer that the index.dat file is a system file that under normal use cannot be seen or read and that only someone with a relatively sophisticated knowledge of computers could access this file. It turns out that there are freeware, shareware and even open-source utilities available that allow access to this file. The same sort of utilities that may be easily obtained by someone only slightly skilled at using Google.

Just to prove the point, instead of downloading one of these tools, I wanted to find the simplest mechanism possible to view the browsing history from the index.dat file just to see what it would take. It turns out that Sysinternals (now owned by Microsoft) provides a free utility that extracts strings from binary files. Note:this is essentially a Windows version of the *nix command-line tool of the same name. You can download “Strings” from the following location:

 http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx

After downloading Strings, I deleted my index.dat files (not all that easy by the way) and proceeded to run Strings on the freshly created index.dat both before and after a short browsing session with Browzar. Here are the results.

Before Browzar Session:
Strings v2.3
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

Client UrlCache MMF Ver 5.2
ODXP0UB5
ZCFT4EYX
S52JULZU
1XC9JDO3

Notice that other than a few hash directories for storing content, the index.dat file is completely empty.

After Browzar Session:
Strings v2.3
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

Client UrlCache MMF Ver 5.2
ODXP0UB5
ZCFT4EYX
S52JULZU
1XC9JDO3
HASH
REDR
ehttp://www.browzar.com/start?v=1201
LEAK
http://www.browzar.com/start/?v=1201
start[1].htm
HTTP/1.1 200 OK
Content-Length: 5370
Content-Type: text/html
Content-Location: http://www.browzar.com/start/index.html
ETag: “dec1a412f3c71:66d”
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
~U:root
LEAK
`Sta
http://abwaters.com/
abwaters[1].htm
HTTP/1.1 200 OK
X-Powered-By: PHP/4.4.4
X-Pingback: http://abwaters.com/xmlrpc.php
Status: 200 OK
Keep-Alive: timeout=10, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
~U:root
LEAK
http://pagead2.googlesyndication.com/pagead/ads?client=…

http://pagead2.googlesyndication.com/pagead/show_ads.js

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addtomyyahoo.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/img/side.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/google.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/bloglines_sm2.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addmymsn.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addmyfeedster.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/img/cats.png

http://abwaters.com/content/images/vista_screen2_th.jpg

http://pagead2.googlesyndication.com/pagead/ads?client=…

Note: The “after” session dump was edited for space and privacy reasons.

The “after browzar” session has an entry for every piece of content requested by the Browzar session. Sure looks like Browzar history to me.

There are dozens of tools for getting at this same information and anyone wanting to get at this information bad enough will likely be able to access it regardless of technical ability. The fact is, its there!

Browzar’s main claim is that it erases your browsing history to protect your privacy. Something that is obviously not true.

The other problem with Browzar’s claim of privacy protection is that it completely avoids the issue of external privacy violations of your browsing session.  There is no use of tunneling, anonymizers, proxies or any other mechanism which means that all your network traffic is exposed to any external sniffing, caching or logging. Since inexpensive home firewalls now routinely come with built-in logging features, this is not as unlikely as it may sound.

It seems that Browzar provides only the simplest protection against privacy violations which, based on the testimonials on their site, are most useful against your family members or friends who share your computer.

By the way, it turns out that both their business model and their privacy weakness were listed in their FAQ on their site. They make money from the searches that users initiate with the “Browzar Search” box in the toolbar and they point out that they don’t address the index.dat issue. If I had only read this a little closer, I could have saved myself a lot of time.

On their website they claim that a Mac and Linux version is coming soon. I suppose they will have to use the Mozilla source to build that. For example, a no-install version of Firefox bundled with Tor would be outstanding!

On the positive side, Browzar is very visually appealing! Now if they could only get that privacy thing addressed they might have something…

Advertisements

One response to “Browzar – A False Sense of Security

  1. Some more information related to Browzar security (or lack thereof).

    http://www.ghacks.net/2006/09/02/browzer-not-so-good-after-all/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s