Slashdot Log In
Flash Cookies, a Little-Known Privacy Threat
Posted by
kdawson
on Tue Oct 14, 2008 01:43 PM
from the flashblock-considered-mandatory dept.
from the flashblock-considered-mandatory dept.
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Related Stories
[+]
Adobe Flash Cookies Raising Privacy Questions Again 103 comments
Nearly a year after we discussed the privacy implications of Flash cookies, they are in the news again as the US government considers revising its cookie policy. Wired covers a study out of UC Berkeley exposing questionable practices used by many of the Internet's most-visited Web sites (abstract). The most questionable activity the report exposes is known as "respawning": after a user has deleted browser tracking cookies, some sites will use information in Flash cookies to recreate them. The report names two companies, Clearspring and QuantCast, whose technologies reinstate cookies for other Web sites. "Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration is proposing to change as part of an attempt to modernize government websites. But the debate shouldn't be about allowing browser cookies or not, according Ashkan Soltani, a UC Berkeley graduate student who helped lead the study. 'If users don't want to be tracked and there is a problem with tracking, then we should regulate tracking, not regulate cookies,' Soltani said."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Old News (Score:5, Informative)
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
Re:Old News (Score:5, Informative)
Parent
Re:Old News (Score:5, Informative)
I use Oblivion with Firefox 3.0.3 and it works fine.
Parent
Re:Old News (Score:4, Informative)
Parent
Re:Old News (Score:5, Informative)
There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.
Parent
Welcome (Score:2, Interesting)
My specific comment to this news article and your response is that third party objects always reduce security as they increase features and that is a constant and yes that is not new.
A slight side-note...
You must be new here. Welcome to Slashdot.org where you can get news of many varieties. Some is stale dated, some is duplicated but it's all kinda interesting to talk about and that is why most of us like it here.
Because even if the news is old, the discussion at Slashdot is always new! (well at least the h
Re:Welcome (Score:5, Funny)
If you think I'm new here, you must be new here... ;-)
Parent
Re:Welcome (Score:5, Funny)
In geological terms, we're all new here.
Parent
Re:Welcome (Score:5, Interesting)
In geological terms, "here" is new.
(Being pedantic, because I really am a geologist, for most values of "here" and most reasonable meanings of "new". If I were writing on the other coast of Scotland, then my here might be up to half the age of the Earth, which is stretching "new" a bit, but for over 95% of the country and far over 99% of the population, the rocks below are a lot less than a quarter of the age of the planet, which is "new" enough for me.)
Parent
Re: (Score:2)
Are you the same guy that used to drive Linux nerds mad on Linuxtoday or some site like that by sticking up for Windows and knocking Linux around 1999 / 2000 time?
Re: (Score:2)
All true.
It will also force Flash to prompt you every time it wishes to save something to disk.
Any idea why mine does it a dozen times for each request?
Re:Old News (Score:5, Informative)
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
A bit more information...
1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.
2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.
3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
5 - Indeed.
Parent
Re:Old News (Score:4, Interesting)
4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
One of the things I discovered a long time ago is that emptying a #SharedObjects subdirectory and setting it to read-only does not work.
Now I just go through every once in a while and clear out the whole thing.
Parent
Re: (Score:3, Informative)
cd "\Documents and Settings\Application Data\Macromedia\Flash Player\"
rmdir "#SharedObjects"
ln -s nul "#SharedObjects"
Oh you are running windows!? Works for me in cygwin bash.
Re: (Score:3)
3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
Flashblock [mozdev.org]
Re: (Score:3, Insightful)
My question has always been, are cookies even really that bad? This may just be me, but I am not that concerned - unless a cookie for one site is actually tracking what I am DOING on another site - ie if Slashdot suddenly started tracking what I was doing at my bank. I may be totally ignorant here, but I did not think cookies worked that way. And who actually has time to poll through all that user data? I have a low-traffic website, and just for grins, I will go in sometimes and look at the server logs, but
Re:Old News (Score:4, Insightful)
That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.
Data mining programs do. Then people get to see whatever the programs flag up.
Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.
Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.
Parent
Re: (Score:3, Funny)
SQL database in the browser? Oh christ. It's like emacs all over again.
Re: (Score:3, Interesting)
Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Sounds a little ungrateful considering that many, many people didn't know about this and are now provided and easy way to view and delete these objects without rummaging through menus and settings. If you hate Flash that much then don't use it!
Re: (Score:2, Interesting)
Sounds a little ungrateful considering that many, many people didn't know about this and are now provided and easy way to view and delete these objects without rummaging through menus and settings. If you hate Flash that much then don't use it!
/agree
The "Delete all sites" button seemed to have worked pretty well too. The only thing is that I thought it was an image until I read the text under it stating that it wasn't, which is probably why the explanation was put there.
Flash cookies (Score:5, Funny)
I flashed my cookies once and did a weekend in the slammer.
Re:Flash cookies (Score:4, Funny)
Talk about a privacy threat!
Parent
Don't allow sites to store stuff on your machine. (Score:5, Interesting)
I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.
However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.
Of course, I also use NoScript and AdBlock... Yada yada.
I'm on the web for my benefit, not for the benefit of advertisers and other scum.
I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...
Re: (Score:3, Interesting)
And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.
The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.
Screw them. I've got better
Re:Don't allow sites to store stuff on your machin (Score:5, Funny)
Mod parent "OldManOnPorchWithShotgun"
Parent
Somewhat Misleading (Score:5, Informative)
"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Get Flashblock now. (Score:3, Insightful)
Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.
I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.
Re: (Score:3, Informative)
I read about this sometime ago, so keep in mind that it may no longer be correct. As I understand it, Flashblock works by analyzing the DOM as it's loaded and anytime it sees Flash content it removes it and inserts its own Flashblock placeholder. What this means is that it is possible for Flash to execute before it is removed, however given the delay before the SWF in question is downloaded it's very unlikely that it would begin executing before Flashblock is able to remove it.
Re: (Score:3, Informative)
And this ... (Score:5, Insightful)
This is why I don't install flash on my machines.
Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.
Cheers
Re: (Score:2, Insightful)
The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it. I guess everyone has to make the decision to continue living life and embracing new technology or completely blocking it out and hoping it will go away. Websites that require flash aren't going to go away, folks: they are going to multiply. We shouldn't try to stop flash, or to ignore it, we should try to work toward
Re:And this ... (Score:5, Insightful)
Parent
Re:And this ... (Score:5, Insightful)
Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.
But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.
And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.
So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.
p.s. pine still works great, what's your problem with it?
Parent
Re:And this ... *crap is technology agnostic* (Score:4, Insightful)
ffs, there are plenty of irritating html sites as well...
I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)
flash != junk
people making junk with flash == junk
(and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)
If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)
If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.
Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.
And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...
So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.
Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.
Parent
Re:And this ... (Score:5, Funny)
Parent
Can you not just delete the files directly? (Score:5, Informative)
To remove flash cache on Linux (Score:3, Informative)
Yes, I do that on Linux regularly.
Just add this to your crontab:
0 * * * * rm -rf ~/.macromedia ~/.adobe
(If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)
Re:To remove flash cache on Linux (Score:4, Insightful)
srm and shred aren't assured security if you're on a journaled filesystem. More importantly, if the Flash application is rooting through your filesystem looking for deleted data, "secure deletion" should be applied to Flash itself, not just its cache. That would be outrageous.
My point is that you're merely trying to delete cookies to prevent user tracking. Secure deletion on your physical disk is not needed unless you're looking at a very special kind of content. ... Using srm or shred here would be like running your newspaper through the shredder because you never know who might be looking for the smudge marks that indicate what you actually read.
Parent
Quick fix? (Score:2, Interesting)
Re:Quick fix? (Score:4, Informative)
Parent
Re: (Score:3, Insightful)
Surely the main privacy issue is the site reading back what it wrote? So it should be:
chmod -r ~/.macromedia
Let it write all it wants.
disable completely with a batchfile (Score:3, Informative)
Or... a simple batchfile for neutering the little bastards completely. [elifulkerson.com] ... assuming they haven't changed anything.
Easily fixed from the same site linked in TFA (Score:5, Informative)
1.) Go to Website Storage settings -> Delete all sites
2.) Go to Global Storage settings -> allow 0 kb of storage
3.) ????? 4.) Profit! (and/or continue going to porn sites...)
How are Cookies "Privacy Threats"? (Score:5, Interesting)
I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.
Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?
Macromedia? (Score:4, Interesting)
Re: (Score:3, Funny)
Re: (Score:2, Insightful)
Flashblock does not prevent loading of flash programs. All it does is hide them from view (and sound). Use NoScript instead. Block all 3rd party scripts and enable all 1st party scripts.
Re:Duh department (Score:4, Informative)
Can you point to a source, please?
Because the front page of FlashBlocks site [mozdev.org] says something different:
Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.
(Emphasis taken from source)
Parent
Re:Duh department (Score:5, Interesting)
With Flashblock loaded and active, watching hidden the Macromedia directories, visiting a page with Flash objects created objects in the Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\sys directories, without running any of the visible Flash objects.
That would indicate to me that some part of Flash is being activated, despite the presence of Flashblock...
Parent
Re: (Score:3, Insightful)
So, tell me... How is it that a flash application available on-line (from adobe) is able to delete and assign space to those very elements? You are telling me that it is not, in turn, able to access those very items? And, if it can access those items, is this not a far worse security issue than browser cookies?
Just wondering.
Now, add to this (the configuration panel for flash storage being available on-line, accessible without the need of a password) to the actual (closed source) implementation of flash --