Analytics cookies being listed when logging into firewall with Chrome Browser.

JonathanLee · Feb 24, 2023, 2:27 PM

Is it normal to see waiting and a url to a 3rd party analytics cookie when logging into the firewall IP of pfSense?
I have noticed that non standard analytics urls are being waited on before I can log in sometimes. Is this of concern? I have attached a standard Google based analytics cookie that you see very often, this is used as an example. Again, the ones I have seen for the firewall ip address for GUI login are urls never seen before 3rd party, almost like some custom crafted HTTP headers are tracking and performing analytics when I am working on the Firewall's GUI. How can I disable 3rd party analytics just for the LAN ip address to the firewall? Is there a way to block analytics for your firewall's GUI?

Keep in mind this photo below is just an example of what I am trying to describe for the LAN ip address. Of course when I try to catch it it's no longer showing it anymore, so I used this photo to help with understanding.

This is of concern because it can act as a relay and send what we are doing as an admin outside of the network.

JonathanLee · Feb 24, 2023, 2:35 PM

@jonathanlee with 23.01 I have not seen this yet. Again, I will post a screenshot if and when I see it again. I thought I should share this just incase it is an issue for anyone else. Moreover, help bring visibility of the possibility of non-standard 3rd party analytics issues by way of performing analytics on the actual firewall when admins are logged into it.

stephenw10 · Feb 26, 2023, 2:33 PM

No I wouldn't expect to see anything like that on the firewall gui itself. Are you sure it wasn't something else still loading on another tab perhaps?

JonathanLee · Feb 26, 2023, 3:28 PM

@stephenw10 the only tab I had open was the firewall, that is why it confused me this was prior to the 23.01 update.

stephenw10 · Feb 26, 2023, 4:25 PM

Hmm, well I have no explanation for that. If you can replicate it in 23.01 we can look into it.

Dobby_ · Feb 26, 2023, 11:18 PM

@jonathanlee

Would it be bad to install more then one browser and
use only one for surfing, one for accounts (such banking)
only and one for all your network devices? Not sure if all
others will be not so let us say "paranoid" but this problem
went away from you in time then.

JonathanLee · Feb 26, 2023, 11:54 PM

@dobby_ I would be afraid that it could have a keylogger, and get the firewalls password. I have a cyber security degree, so I look at items a bit differently. 23.01 stopped it.

SteveITS · Feb 27, 2023, 1:15 AM

@dobby_ Firefox has a Multi-Account Containers addon that does that...each container gets its own cookies. Super useful when logging in to multiple Microsoft accounts, and isolating Facebook, banking, etc.

One related thing that's not at all obvious...in Chrome and Firefox all private/incognito windows are the same session, so not that private.

@JonathanLee Your screen cap is of this forum not a pfSense page but I'm guessing that was a separate example...? You can view the source code of the page and verify if anything is calling analytics.google.com.

Dobby_ · Feb 27, 2023, 1:18 AM

the only tab I had open was the firewall, that is why it
confused me this was prior to the 23.01 update.

Could it be, that you own a google account and you where logged in that over Chrome, during you where doing a visit here in the forum or your call of the admin web interface?

And from there the google analytics were "knowing" or watching what you are doing?

JonathanLee · Feb 27, 2023, 2:30 AM

@steveits yes that is only used as an example. The 3rd party analytics was tied into a CDN also I can't remember the full URL but Content Delivery Network (CDN) was included in it.

JonathanLee · Feb 27, 2023, 4:13 AM

@dobby_ I am not worried about Google Analytics as I live in California. We have a (California Consumer Privacy Act) CCPA law here with relationship to data privacy. You might not have the heavy level of privacy protections that California provides to its residents. Moreover, if you’re in another state/country there are different data sovereignty laws. I am worried about the possibility of a keylogger cookie and how to stop it. The Google analytics was an example. The cookies I started to see all the sudden that I noticed had .CDN in the URL with every GUI login. It was very subtle as the browser would wait for a connection to the URL’s cookie before I could log on and all tabs did the same thing. Yes, Google Chrome can log you into your account. But this was a 3rd party URL that was not related to Google. I had the idea that it could be a tracking analysis system because some items like doubleclick net and others are blocked. If that's the case a second browser would help or sandboxed environment like the ones inside of Windows 10-11 pro. Again, this is a home network. A larger scale system this type of logging attack could be used as part of information gathering and reconnaissance steps like Discovery, Discovery Scan, and Enumeration all just by watching any admins keystrokes when he logs in to the firewall's GUI and actively probe for any vulnerability. Moreover, I am sure you know some nation state actors will wait years testing and planning before they act on a plan. The idea is to always be one step ahead. Finally bringing up weird things that are out of norm like this help the cyber security community have a course of action for when such an issue occurs. Maybe it was a vulnerability being tested on a smaller scale system, someone that normally would not notice that way if it worked it could be used on a larger scale one later on. Who knows, I just want to bring light to what I have seen.

stephenw10 · Mar 6, 2023, 6:45 PM

Nothing like that is in pfSense AFAIK.

I agree, noting it here for anyone else searching is probably a good thing to do.

JonathanLee · Mar 6, 2023, 6:45 PM

@stephenw10

I caught it again!! as soon as I click log in I am getting 3rd party cookies that it waits for before I can log in.

Dobby_ · Mar 6, 2023, 6:55 PM

@jonathanlee

URLscan.io output
AlienVault output

viragomann · Mar 6, 2023, 7:10 PM

@jonathanlee
Disable all browser add-ons and try again.

BTW: If you attache importance on privacy Google Chrome might not be the best choice anyway.

JonathanLee · Mar 6, 2023, 7:35 PM

@viragomann We shouldn't have to deal with issues like this with new laws like CCPA, I think a couple months ago Google had to pay a large fine for privacy abuses. Yes I agree I started to use Edge for everything.

stephenw10 · Mar 7, 2023, 2:01 AM

Mmm, that's got to be some browser plugin I would think.

JonathanLee · Mar 7, 2023, 2:06 AM

@stephenw10 the only plug in I have is Kaspersky antivirus. Again, I have had that AV for years and never noticed activity like this with the firewall. This type of analysts activity might not be spotted by many other users. I wonder what is its relationship to the firewall, and why IBM? Last one I noticed was a 3rd party version and not a Big tech version like this. IBM web analytics is not something I normally see, plus for it to attach itself onto PfSense and the firewall does cause some development concerns from a lifecycle perspective, I wonder how they pulled it off. As soon as cookies are cleaned it's gone. Google Analytics I have never seen on it. I have seen cloudflare analytics also.

Dobby_ · Mar 7, 2023, 5:12 AM

@jonathanlee

As soon as cookies are cleaned it's gone.

I would say you could install some privacy addons
and say absolute no to cookies! And you only keep
your cookies from your switches and routers or firewalls
and use only that one (browser) for your internal tech equipment.

Google Analytics I have never seen on it. I have seen
cloudflare analytics also.

pfBlocker-NG and/or Squid & SquidGuard may be sorted
with some add blocker lists.