Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox and Thunderbird creates CGLog files in /tmp on my Mac. It contains a lot of info related to keyboard and mouse (keys, scrolls, clicks!) I am concerned!

  • 20 replies
  • 10 have this problem
  • 9 views
  • Last reply by dveditz

more options

These files mostly contains following lines:

Firefox and Thunderbird creates CGLog files in /tmp on my Mac. It contains a lot of info related to keyboard and mouse (keys, scrolls, clicks!) I am concerned!

--- flushing event log at XXXX.XXXXXXXX --- 432138.5090574 (Firefox): CGSGetNextEventRecordInternal: XXXX.XXXXXX loc (-XXXX, XXXX) conn 0xXXXXX MouseMoved win 0xXXXX (click 1)

and the most scaring:

XXXX.XXXXX (Firefox): CGSGetNextEventRecordInternal: XXXX.XXXXX loc (xxx.xx, xxx.xx) conn 0xXXX KeyDown win 0x0 flags 0xa00100 set 252 char 63233; key 125 data -2303 special 0 repeat 0 keybd 44

Why it happens? Is it dangerous? How can I turn it off?

I saw that on the latest Firefox release for Mac and on Firefox ESR 31.2.0 for Mac I saw that on Thunderbird release for Mac 31.2.0

These files mostly contains following lines: Firefox and Thunderbird creates CGLog files in /tmp on my Mac. It contains a lot of info related to keyboard and mouse (keys, scrolls, clicks!) I am concerned! --- flushing event log at XXXX.XXXXXXXX --- 432138.5090574 (Firefox): CGSGetNextEventRecordInternal: XXXX.XXXXXX loc (-XXXX, XXXX) conn 0xXXXXX MouseMoved win 0xXXXX (click 1) and the most scaring: XXXX.XXXXX (Firefox): CGSGetNextEventRecordInternal: XXXX.XXXXX loc (xxx.xx, xxx.xx) conn 0xXXX KeyDown win 0x0 flags 0xa00100 set 252 char 63233; key 125 data -2303 special 0 repeat 0 keybd 44 Why it happens? Is it dangerous? How can I turn it off? I saw that on the latest Firefox release for Mac and on Firefox ESR 31.2.0 for Mac I saw that on Thunderbird release for Mac 31.2.0

All Replies (20)

more options

You can start with this;

Possible Mal-Ware Scan For Macs {web link}

more options

I checked my mac with Avira Antivirus - it found no threats. I performed Firefox Reset and started with vanilla new profile. I have only three add-ons active at the moment: lastpass, ghostery and abp.

Today I discovered again CGLog_Firefox and CGLog_Thunderbird in my mac's tmp folder

Modified by ssk1000

more options

I found this. Don't know if this is related.

http://cglog.sourceforge.net/ This project is hosted by SourceForge.net. The project team describes it as:


http://systemexplorer.net/file-database/file/cglog-dll. Our database contains 2 different files for filename cglog.dl


VIRUS ? ? ? ? ?

https://forums.malwarebytes.org/index.php?/topic/60793-please-help-remove-cglogsdat-xxxxxx-uuuuuu/ Please help me.. I can't seem to find a solution to this virus


http://www.trojaner-board.de/88414-malware-trace-cglogs-dat-uuu-uuu-xxx-xxx.html

ich hab Malware auf meine Laptop. (I have malware on my laptop.)

more options

I have called in the big guys. Please wait for them to answer.

more options

No reply so far :(

I recently noticed those /tmp/CGLog_Firefox_<pid> files on my Mac, too. I feel deeply concerned because they contain sensitive data.

I have now downgraded to FF 31.0 which seems (so far) the latest FF version that does not produce these files - at least it hasn't since I installed it 10 minutes ago, all more recent ones had by this time already created these files.

Please, can you give us feedback on this?

more options

I scanned my system with few different anti-viral scanners and found no malware.

I downgraded to Firefox ESR 31.2.0 but it still creates CGLog_Firefox_<pid> files in /tmp

And these files still contains key presses and clicks! Seems like I should try to upgrade to ESR 31.0, like mbert suggests and see what will happens there

UPDATE: Firefox ESR 31.0 also produce CGLog_Firefox_<pid> files. Now trying to check from absolutely fresh install, with no addons, extensions, etc

Modified by ssk1000

more options

I doubt this will do anything, but;

Use your file browser, and flag those files as Read Only. Maybe whatever is making these will send an error.

more options

That won't help, because for each new process a new file is created (the process ID is part of the file name).

This behaviour is a bug that has been fixed ( https://bugzilla.mozilla.org/show_bug.cgi?id=1092855 ), let's see when the fix makes it into production code.

EDIT: no it hasn't, see my comment below!

Modified by mbert

more options

I registered on Bugzilla, but they said that I am not authorized to access this bug. Could you please post, what is this issue about?

more options

I think the link above is broken (there's a closing bracket messing up things). Try this link: https://bugzilla.mozilla.org/show_bug.cgi?id=1092855 I think it should be public.

Having read over it again it seems like my original statement above (that the bug was already fixed) is incorrect. The bug has the following tracking flags:

tracking-firefox33: - status-firefox33: wontfix tracking-firefox34: + status-firefox34: verified tracking-firefox35: + status-firefox35: verified tracking-firefox36: + status-firefox36: verified status-firefox-esr31: fixed

That indicates that it does not occur on FF ESR 31, that it won't be fixed in FF 33 (current), and that no fixes are yet committed for upcoming releases.

The problem sessms to arise from the combination of yosemite and some libraries used. There is nothing malicious about it, but the fact of that file existing in your /tmp/ folder is nevertheless unacceptable and needs to be fixed.

I for myself will continue using FF 31 until the bug has been fixed in a forthcoming release.

more options

https://bugzilla.mozilla.org/show_bug.cgi?id=1092855 is showing Access Denied for me today.

more options

OK, so it seems the bug entry is indeed not public. Sorry, as I have access to it I expected everybody else to have. (maybe registering on the bugtracker will help)

But, really, it's not terribly interesting - it gives some technical background of interest to developers and the relevant infrormation is:

  • it's not by itself malicious
  • it can pose a risk to privacy if others gain access to your file system (e.g. through malware)
  • this effect can be observed with FF 32.0 and better in combination with OSX 10.10 (yosemite), other versions don't seem to be affected
  • it is not yet fixed for upcoming versions

I for myself have downgraded FF and will continue using my old version until the bug is fixed.

Modified by mbert

more options

A little update:

  • According to the developers this bug is actually not an FF bug but a bug in OSX
  • They are working on a workaround
  • No announcement yet on when it will be available.
more options

> No announcement yet on when it will be available.

In an earlier post you quoted "status-firefox34: verified". That means it will be fixed in Firefox 34. Rather than downgrade to an insecure version of Firefox you could upgrade to Beta Firefox 34. Most of the security bugs fixed in Firefox 33 could in theory be abused from a remote web page which is a far bigger risk than data logged to a file safely on your local machine.

more options

Good point. However when I tried FF 34 beta, the bug was still present. So it must have been fixed in the mean time. Thank you!

more options

The workaround was checked in at the end of last week. I think it made it into 34 beta 9 (Friday) and it's definitely in beta 10 released today.

more options

mbert, there is not one build of 34.0 Beta but several as the fix may not have been in the build you tried. On average there has been six to twelve Beta builds for a version with nine being the average in last while.

more options

I should remind, that the same bug is happening in Thunderbird.

I see CGLog_Firefox and CGLog_Thunderbird in /tmp

Yes, it might be a bug, related to Yosemite/Libs/Firefox Gecko I tested current Firefox 33 release, bug remains I tested Firefox 31, Firefox 31 ESR - same result

Modified by ssk1000

more options

Hi ssk1000, do you want to try the Beta version of Firefox, which will be Firefox 34 upon its release in a couple of weeks? You can install that from the following page. You do not need to uninstall Firefox 33 first.*

https://www.mozilla.org/firefox/beta/all/ (scroll down to your preferred language)

Once Firefox 34 is officially released, you can switch off the beta track by getting the Firefox 34 installer from the following page (currently it has Firefox 33):

https://www.mozilla.org/firefox/all/

* Sorry, that's a Windows user talking. You might need to trash something. How to download and install Firefox on Mac

Modified by jscher2000 - Support Volunteer

more options

Yes, we know this affects Firefox ESR31 and Thunderbird, and they will be updated with the fix at the same time Firefox 34 is released (in two weeks).