Any program you ever run in your PC can delete ALL your files. Any application, any game, any plugin, any mod, any script, any terminal command, anything you ever run can do a lot of damage to your data. We're talking about programs you run normally, by the way, without needing an administrator password.
Why This Happens?
When designing an operating system, at one point you need to create something called a permission model or security model, and these models are generally terrible for normal people.
Every program that is run will run under the absolute control of the operating system. The OS dictates what programs can and can't do, and when they can do it. That's because the OS controls what the CPU will execute, and what data the RAM will store. Without the CPU and the RAM, no program can be run at all, so the OS is the ultimate gatekeeper of what is allowed to happen in your computer.
The way modern OSes like Windows and Linux are designed is that programs run by a normal user don't have permission to modify system files. This means a random program you double click on can't just change the files inside C:\Windows. It can't install other programs. It can't do things that could damage the operating system itself. To do these things, it must gain elevated privileges, which you can grant the program.
When this is necessary, the program asks the OS for elevated privileges, then the OS asks you for your administrator password, and if can authenticate yourself as administrator, the OS lets the program do what it wants to do.
Similarly, a program run by a normal user can't modify files that are owned by other users. If you have a family PC owned by your father that you and your sister use, you can't just modify your sister's files, nor can she modify yours. The OS won't even let you see their files.
However, this is all the security model does.
When a program that you run wants to change YOUR OWN files, the OS will just let it. This means that any program you run can just delete everything inside your home folders: My Documents, My Pictures, My Downloads, My Music, My Videos, etc. Because those files are owned by YOU, and YOU ran the program, the program can just do anything it wants with them.
More Technically
When you delete a file via a file manager, you're asked whether or not you want to delete it with a dialog box. If you confirm, normally the file will be sent to the Trash in your desktop, where it can be recovered, "un-deleted," later, for a while. All of this happens because of how the file manager was programmed. This is part of the file manager's program, specifically, and not part of the OS.
A program can show you a dialog box to confirm, and not send the file to trash, but just delete it permanently.
A program can send a file to the trash without showing a dialog.
A program can delete a file permanently without saying anything.
Programs do this all the time. They do it with temporary files and configuration files, which are files you don't care about. But they could also do it with your personal files if they were programmed to do so. There is nothing in the operating system that prevents them from just deleting all your files.
A program can even delete a file without actually deleting the file. For example, if you create a new plain text file (.txt) and save it without writing anything, its file size should be exactly zero bytes. That's a valid file. This means we don't have to delete a file to delete all the data within the file. A program can take your photos, which are .jpg files, and just overwrite them to contain zero bytes of data instead of whatever they contained originally. This effectively deletes all your data without technically deleting all your files.
For reasons like this, if a permission model were to restrict access of programs to your files, they would have to restrict their ability to modify files as well, since modification of data can be used to destroy data.
In order for a program to modify or delete a file, all it needs is its filepath, like C:\photo.jpg. Programs normally have file dialogs that ask you to select a file or choose a location where to save a file, but what those file dialogs really do is just tell the program a filepath. The program has to then take this filepath and give it to the operating system, telling it that the programs wants to save some data in that filepath, or read data from it. The program doesn't even know if there's a file that exists in that filepath or not when it does these actions. Checking if a file exists is a separate action the program would have to take.
Similarly, when you drag and drop a file into an application, or double click to open it, all the application gets is a filepath.
Motivations
Why would a program delete all your files? There are two probable reasons.
The first one is that the person who created the program is just malicious. In the past, hackers often created malware that just wrecked people's computers and that was it. There was no financial benefit. It wasn't ransomware. They just wrecked people's computers. Senseless digital vilence.
The second one is that the person who created the program made a mistake. Programmers are human, and humans make mistake sometimes, and sometimes mistakes delete all your files. Any piece of code that deletes a file is one mistake away from deleting the wrong file. If a piece of code RECURSIVELY deletes all files in a folder, that is one mistake away from deleting ALL your files.
Nobody is safe from humanity. Notably, Steam had a bug where they just deleted all files of a user on Linux. It required an unusual configuration for this to happen, but it can totally happen because someone had a rm -rf (remove all files recursively forcefully) in their code.
I launched steam. It did not launch, it offered to let me browse, and still could not find it when I pointed to the new location. Steam crashed. I restarted it.
It re-installed itself and everything looked great. Until I looked and saw that steam had apparently deleted everything owned by my user recursively from the root directory. Including my 3tb external drive I back everything up to that was mounted under /media.
Everything important, for the most part, was in the cloud. It is a huge hassle, but it is not a disaster. If there is the chance that moving your steam folder can result in recursively deleting everything in the directory tree you should probably just throw up an error instead of trying to point to other stuff. Or you know, allow the user to pick an install directory initially like on windows.
[...]
Moved ~/.local/share/steam. Ran steam. It deleted everything on system owned by user. [https://github.com/valvesoftware/steam-for-linux/issues/3671] (accessed 2024-10-13)
rm -rf "$STEAMROOT/"*could be evaluated asrm -rf "/"*if$STEAMROOTis empty
Solutions
Backups
The only real way to protect your data given how terrible these permission models are is to backup your data. Backups are the best solution to data loss risks. If you lose data, just get the data back from the backup.
I assume the reason why Windows offers OneDrive now as a way to easily backup your data to the "cloud" is to avoid this sort of risk specifically, specially considering the rise of ransomware these days. However, I do recommend keeping local backups if you can.
Backups are not perfect. Test your backups to make sure you can restore things. Be aware that Hard disks and SSDs age. They have a limited life span, they are not eternal. They last around 5 years on average, so that's another thing to consider.
Avoid relying on backup software if you can't be certain that the software will still work 5 or 10 years later. I'm sure there are programs that used to work on Windows 7 but don't work on Windows 11, for example. In fact, if you need to download the program, and you can't find it anymore because the project is abandoned or it closed shop, then you'll have a lot of trouble.
It's also very risky to encrypt your backups. If you lose the key you need to decrypt it, you render the backup useless.
Sandboxing File Access
On Linux, there is a way to limit file access of applications through flatpaks. This is a nice security feature that is also extremely inconvenient and makes everyone hate flatpaks. It requires a program called flatseal to configure it, without which flatpaks often just won't work at all because applications don't have access to anything.
Sandboxing solutions aren't perfect either. A malicious hacker can figure out a way to break out of the sandbox and compromise the system. Specialists work on techniques to prevent this, and there are bug bounties for this kind of security bug that is worth a lot of money. The idea is that if you can get thousands of dollars for reporting the bug, that's less risky than trying to commit crimes by trying to exploit said bugs.
Limited APIs and Browser Extensions
In the case of mods, plugins, browser extensions, and other programs that run within a program, it's worth noting that not all of them have easy access to your files.
When you access a webpage, it often contains something called Javascript. A javascript is a program, but it can't delete files from inside of a web browser.
That's because the only program that can really delete a file is the operating system. In order for an application to delete a file, it must communicate with the operating system. If it can't communicate with the OS, it can't really do anything that the OS would let them do.
In a web browser, such as Chrome, Firefox, Edge, Vivaldi, etc., the BROWSER communicates with the OS, but the Javascript only communicates with the browser.
Anything that the browser doesn't want the Javascript to do, it can't do, and browsers don't let webpages just read all your personal files, so they can't do that.
When you upload an image file with a browser, for example, and there's a small preview inside the webpage of the image file, that's the Javascript program running. What's happening in this case is that the browser takes the file from the OS and passes it to the Javascript. The website never has direct access to your files. Access is vetted by the browser.
This means that web applications, applications that are constructed as webpages, are the safest applications for PC, because their powers are limited by what the browser allows, and browsers are designed to not allow webpages to do all sorts of things in order to combat many, many, many abuses we've seen on the Internet by maliscious websites.
Certain applications that allow plugins, mods, themes, etc., to be installed may use similar techniques to restrict what the third-party program can do. However, that is not always the case. Sometimes, the plugin is just a normal program that can do anything that its host application can do. In other words, it's powers are not limited, it can do any thing, can run arbitrary code.
"Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products," KDE cautioned.
[...]
After it was installed, the theme deleted all personal data from mounted drives using 'rm -rf', a very dangerous UNIX command that forcefully and recursively deletes a directory's contents (including files and other folders) without any warnings and prompting for confirmation.
KDE advises extreme caution after theme wipes Linux user's files [https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/] (accessed 2024-10-13)
Extensions you install in your browser are also limited by your browser's veto, but in a different, more permissive way than webpages.
Some extensions can access your files, however for that you need to grant them explicit permission.
Permissions for extensions are unfortunately very vague. For example, if you want to make the color of text in a website red, all you need is three lines of CSS code, which is more limited than Javascript. However, the way the permission system works is that an extension that does that will require a permission to "read and change all data" in a given website. If it all the text to red in ALL websites, it needs permission to all data in ALL websites.
This permission would also allow it to do other things, like sending requests to the Internet, which is kind of ridiculous. I want an extension to make the text red, and the browser makes me give it power to send everything I type in a webpage to the Internet. They could collect all my data, including private messages that appear in a webpage in a social media website, the text of my e-mails if I access my e-mail through a website.
1. Send a list of all the websites I visit to the maker?
Yes
2. Capture data I input into forms? (like my personal data, passwords, etc.)
Yes
3. See how long I have been on a website, and which pages I have visited?
Yes
4. Access cookies?
[...] I would add that it is likely that the extension could manually call, for example your Gmail page and get all your emails, even if you do not have Gmail open during the time the extension is opened. You need only to be logged in and it can call those pages. [...]
5. Access other files on my computer? (I guess not, given the Sandbox environment, but I'm still wondering)
No – like you say the sandbox will prevent that.
Worst case scenario, what can a Chrome extension do with "Your data on all websites" and "Your tabs and browsing activity"? [https://security.stackexchange.com/questions/15259/worst-case-scenario-what-can-a-chrome-extension-do-with-your-data-on-all-websi] (accessed 2024-10-13)
As for the motivation for this: browser extension developers are routinely contacted by companies that want to help them monetize their extensions. One such method of monetization is just selling user data. Even an extension that was clean at the start can become spyware if the developer takes on the offer.
Over the years, I have received many proposals to monetize this extension so I think I'll just start posting them here for fun (but not for profit). The main reason I continue to maintain this extension is because I can hardly trust others to not fall for one of these offers. I'm fortunate to have a job that pays well enough to allow me to keep my moral compass and ignore all of these propositions. I realize that not everyone has the same financial security so hopefully this thread would shed some light on what kind of pressure is put on extension developers.
[Proceeds to write an very, very long list with 151 messages from 2015 to 2024 received from various companies]
Temptations of an open-source browser extension developer [https://github.com/extesy/hoverzoom/discussions/670] (accessed 2024-10-13)
The quote above comes from the extension Hover Zoom+, an open source extension created because the original Hover Zoom was overrun with malware.
This is an open-source version of the original HoverZoom extension, which is now overrun by malware and deleted from the store. In this version all spyware has been removed, many bugs were fixed and new features were added. It doesn't collect any statistics whatsoever. The only permission it needs is to access data on all websites (to extract full images), and optional permissions to access browser history, download/save images, or get tab URLs for per-site configuration.
https://github.com/extesy/hoverzoom (accessed 2024-10-13)
Jadali suspected that the links were collected by one or more extensions installed on the browsers of people viewing the specialized URLs. He forensically tested more than 200 different extensions, including one called "Hover Zoom"—and found several that uploaded a user's browsing behavior to developer-designated servers.
My browser, the spy: How extensions slurped up browsing histories from 4M users [https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/] (accessed 2024-10-13)
It's worth noting that just because a software is open source that doesn't mean it's safe. Open source doesn't mean people actually have read the code, nor does it necessarily mean that the program you run is actually created from the source code that's published. Even Hover Zoom+ could just have some source code on Github for people to see that they modify before publishing it to the the browser extension store.
Running Programs as Different User
One measure you can take is to create a separate user in your operating system to run programs that you're wary of. This will prevent certain accidents, but it's also very inconvenient. It might make sense if you have many important files that most of your programs don't really need to touch.
Note: I've had a ridiculous amount of trouble trying to make this work on Linux Mint.
In a web browser, it's more convenient. On Chrome and Vivaldi you can just create a second profile in the browser, so you could use one profile for things that are sensitive or confidential that doesn't have any extensions installed, and another profile for browsing social media with all sorts of extensions installed, because it's data you won't care if it gets stolen.
Note: nowadays we have a new risk, the use cryptominers: programs that mine cryptocurrencies using your electricity and send the money to the attacker. A Javascript is a program and therefore can implement a cryptominer, so that's another thing to worry about!
Trust and Reputation
The reason why people just run any program they can find without thinking about the powers those programs will have in their computers is because we trust people.
In a high-trust society, we place trust on others implicitly. We trust all of these people are just good people who can program, and not terrible people trying to delete all our files with their maliciously crafted programs.
A great social check we have is reputation. A reputable developer won't risk their reputation writing malicious software. However, reputation isn't a simple number like in a video-game. Reputation means you have a name, people know you, people know what you do, that reputation is beneficial to you, so you would rather not lose it.
When you find a program somewhere or an extension, note that you can easily find its number of downloads, or reviews, or something of sort, but that number doesn't really mean anything. Anything can go viral these days, and it's very easy to buy numbers.
You could publish an extension that does something very simple and popular, and spend a thousand dollars in Internet ads to get thousands of people to download it, creating a fake sense of reputation. Then include in its code something malicious.
Let's think of some attributes that can help identify reputable software sources:
1: a real business model. Software made by companies that are selling stuff. If they make money with things and offer free programs, it's less likely that the free stuff is just a way to steal from you or harm you. This of course only applies if they receive money through normal means, like credit cards, which leave a paper track. If they ask for money with crypto, which is basically founded on the idea of creating a trustless system, it's not really as trustworthy.
2: having a real name, face, and address. Although this can be a privacy problem, and sometimes even gets called doxxing, the fact is that anonymous sources are less trustworthy than non-anonymous ones. If you see a person in a Youtube video, that's more trustworthy than a faceless username. If it's a company that has a physical address, then you could actually go there complain if they delete all your files.
3: having a history. If a source is anonymous, it may still be trustable if it's been in a scene for a long time without harming anybody. For example, a modder who published one mod for a popular game is a risky source of software. A modder who published dozens of mods for years is someone more trustable even if you have no idea who they are. That's because you can tell their motivations: they're making mods, they're (probably) not making malicious programs that looks like mods.
Trust doesn't mean safe, it means safer. Trustworthy sources can still make mistakes and they can still become malicious.
Even if you took all the precautions, there is nothing in the operating system that prevents a program from just deleting all your files, so there's always a risk. If there is something you can't afford to lose, start making backups of it.
Undeleting Files
It's sometimes possible to undelete a file after it has been deleted.
A file in a computer is made of two parts. There is a record that the file exists in the hard disk or SSD, and the actual bits of the file in that disk. The record tells us where those bits are.
When we delete a file "permanently" what typically happens is that we just delete the record, we don't actually change the bits. So we forget where the file is. Because we don't remember there is a file there anymore, we can use its space to store the bits of another file. When we this, the data gets overwritten.
However, if the data isn't overwritten, it's possible to recover the original file, intact, if we can somehow figure out where it starts and where it ends. This isn't straightforward nor is it reliable, but it's technically possible, and you can even find software that tries to do this for you.
In general, this is more likely to succeed if the disk has a lot of free space which reduces the likelihood of files created after the file was deleted to end up occupying its space and overwriting its bits. The likelihood is also higher if we try to recover the delete files as soon as possible, which means there will be less time for new files to have the chance to overwrite its bits.
If you ever delete something by accident that you must absolutely recover, it's a good idea to shut down the computer immediately to avoid creating new files that can overwrite the deleted file bits, and then try to figure out ways to recover the files using a different computer.
Leave a Reply