Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×
Privacy Your Rights Online

Flash Cookies, a Little-Known Privacy Threat 225 225

Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
This discussion has been archived. No new comments can be posted.

Flash Cookies, a Little-Known Privacy Threat

Comments Filter:
  • by ajs (35943) <ajsNO@SPAMajs.com> on Tuesday October 14, 2008 @02:54PM (#25372637) Homepage Journal

    Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.

    I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.

  • And this ... (Score:5, Insightful)

    by gstoddart (321705) on Tuesday October 14, 2008 @03:01PM (#25372755) Homepage

    This is why I don't install flash on my machines.

    Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.


  • Re:And this ... (Score:2, Insightful)

    by Anonymous Coward on Tuesday October 14, 2008 @03:09PM (#25372891)

    The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it. I guess everyone has to make the decision to continue living life and embracing new technology or completely blocking it out and hoping it will go away. Websites that require flash aren't going to go away, folks: they are going to multiply. We shouldn't try to stop flash, or to ignore it, we should try to work toward helping them secure it. And I would take Flash over Silverlight any day-

  • Re:Duh department (Score:2, Insightful)

    by Gewalt (1200451) on Tuesday October 14, 2008 @03:26PM (#25373089)

    Flashblock does not prevent loading of flash programs. All it does is hide them from view (and sound). Use NoScript instead. Block all 3rd party scripts and enable all 1st party scripts.

  • Re:And this ... (Score:2, Insightful)

    by Todd Fisher (680265) on Tuesday October 14, 2008 @03:36PM (#25373265) Homepage
    I'm [webkinz.com] guessing [nickjr.com] you [myepets.com] don't [playhousedisney.com] have [clubpenguin.com] kids [lego.com].
  • scare-monger (Score:1, Insightful)

    by keatonj (940527) on Tuesday October 14, 2008 @03:53PM (#25373495)
    "by default" it enables average users to use nifty adobe player functionality. (my pizza store, by default now remembers me and the last time i was there! wicked! You can also choose max disk space for these cookies, you can also easily delete them, and you can easily stop them from being saved. I agree the access to this information isnâ(TM)t "easy". but this is far from being a security problem. I had to go through just as much clicks to get to my firefox cookie, as to get to the flash cookies. They also store only information they request. Which in some cases means saved games files (for flash games) This article, with its hefty boldening of sentences, makes this out to be an OMG! situation, when it's not. Just as firefox, by DEFAULT, enables cookies and javascript code. Why can't flash? This panel can also be accessed when using almost ANY flash application, through the right click context menu. Seriously, this feels like very little investigation of comparison. American style scare-mongering at it's finest IMHO.
  • Re:And this ... (Score:5, Insightful)

    by Danny Rathjens (8471) <slashdot2@rathjens . o rg> on Tuesday October 14, 2008 @03:59PM (#25373589)
    Imagine if people said the same thing about windows and gave up on linux. We can do much better than proprietary junk like flash.
  • by Khopesh (112447) on Tuesday October 14, 2008 @04:05PM (#25373663) Homepage Journal

    srm and shred aren't assured security if you're on a journaled filesystem. More importantly, if the Flash application is rooting through your filesystem looking for deleted data, "secure deletion" should be applied to Flash itself, not just its cache. That would be outrageous.

    My point is that you're merely trying to delete cookies to prevent user tracking. Secure deletion on your physical disk is not needed unless you're looking at a very special kind of content. ... Using srm or shred here would be like running your newspaper through the shredder because you never know who might be looking for the smudge marks that indicate what you actually read.

  • by Anonymous Coward on Tuesday October 14, 2008 @04:13PM (#25373779)

    You'd be surprised how much can be inferred from a few visits that can be linked by "hey you're the same guy who was here that other time". When you can start finding patterns in aggregated data, the whole becomes more than the sum of its parts.

    Of course you're right in that there's nothing inherently wrong with FSO's, but there is a need for user education on the subject (much like cookies). FSO's are more problematic in this way since they're less well-known and harder for a non-savvy user to manage.

    Incidentally, a threat to anonymity is, by extension, a threat to privacy, since anonymity is a useful privacy tool.

  • Re:And this ... (Score:1, Insightful)

    by Anonymous Coward on Tuesday October 14, 2008 @04:15PM (#25373799)

    At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it.

    Calling Flash a "technology" is giving it too much credit.

    But that aside, a lot of the world "moved on" to Windows, but the people who didn't do it, mostly all came out ahead. Sometimes going with the flow is just plain stupid. If everyone jumped off a cliff, would you? Maybe. Maybe it makes sense to do that. But really? No, it doesn't.

  • by Anonymous Coward on Tuesday October 14, 2008 @04:18PM (#25373845)

    Okay, good, let's shut off another potentially useful feature because there's a fringe chance it can be used to remember who you are, which is Bad(tm) because then zomg Skynet. And better still, let's get rid of Flash entirely, AND be a smug dick about it, too. Brag about it constantly, just like how you don't own a TV.

    From there, keep on bragging about how you don't use Javascript, either, and point to an edge case where a friend you knew was out browsing pr0n from his spam and now his entire identity has been erased. Keep pointing to it. Point HARDER. That should convince any sane individual to burn an effigy of the inventor of Javascript. Offer your diagrams to help them build such effigies.

    Then all we'd need to do is get rid of images and multimedia, remove graphics from all computers, and before you know it, we'll finally have this "entertainment" flaw fixed. Then we can all get back to posting plaintext reviews of and arguments over Star Trek Battlestar Galactica episodes in peace. Goddamn progress.

  • Re:Old News (Score:3, Insightful)

    by gravis777 (123605) on Tuesday October 14, 2008 @04:26PM (#25373967)

    My question has always been, are cookies even really that bad? This may just be me, but I am not that concerned - unless a cookie for one site is actually tracking what I am DOING on another site - ie if Slashdot suddenly started tracking what I was doing at my bank. I may be totally ignorant here, but I did not think cookies worked that way. And who actually has time to poll through all that user data? I have a low-traffic website, and just for grins, I will go in sometimes and look at the server logs, but most of these is just kind of curiosity over what countries are visiting me. Sometimes I will look at the terms people typed into search engines to find me (this is not a cookie, just standard Apachee server logs), but that is about it. I do not have the time, nor the desire to look at mroe than that. In fact, I usually do nt have the time to look at even that.

    So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care. Of course, it could just be me being ignorant, but cookies are not what I am worried about. I am worried about other people going to Smiley Central or Living Screensavers or Coupon Toolbar or something than about cookies.

  • by frito_x (1138353) <hippiej@cantv.net> on Tuesday October 14, 2008 @04:41PM (#25374177)

    "... all your cookies are belong to us..."

    - the Cookie Monster.

  • Re:And this ... (Score:2, Insightful)

    by bongomanaic (755112) on Tuesday October 14, 2008 @04:45PM (#25374229)
    It's also used by some of the best sites on the web, such as BBC iPlayer and Fora.tv because it is the only sensible way to deliver no-fuss cross-platform online video. It's also a lightweight and better looking alternative to java or ajax for all sorts of entertaining and educational applets. Non-assholes use flash too because it just works. Blocking all flash because it is sometimes used in ads is as sensible as blocking jpegs because they are sometimes used in ads. If the only flash you've come across is in ads then it is your taste is web sites, rather than flash, that is at fault.
  • Re:scare-monger (Score:3, Insightful)

    by ratboy666 (104074) <fred_weigel @ h o t m a i l . com> on Tuesday October 14, 2008 @04:50PM (#25374281) Journal

    So, tell me... How is it that a flash application available on-line (from adobe) is able to delete and assign space to those very elements? You are telling me that it is not, in turn, able to access those very items? And, if it can access those items, is this not a far worse security issue than browser cookies?

    Just wondering.

    Now, add to this (the configuration panel for flash storage being available on-line, accessible without the need of a password) to the actual (closed source) implementation of flash -- aren't alarm bells going off in your head?

  • Re:And this ... (Score:5, Insightful)

    by Hatta (162192) on Tuesday October 14, 2008 @05:12PM (#25374587) Journal

    Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.

    But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.

    And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.

    So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.

    p.s. pine still works great, what's your problem with it?

  • by mb1 (966747) on Tuesday October 14, 2008 @05:42PM (#25374985)

    ffs, there are plenty of irritating html sites as well...

    I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)

    flash != junk
    people making junk with flash == junk

    (and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)

    If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)

    If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.

    Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.

    And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...

    So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.

    Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.

  • by Anonymous Coward on Tuesday October 14, 2008 @05:50PM (#25375079)

    How is this different from tracking based on IP?

    And "I can change my ip" isn't an answer, since I can delete my cookies.

  • Re:Quick fix? (Score:3, Insightful)

    by Keeper Of Keys (928206) on Tuesday October 14, 2008 @07:41PM (#25376397) Homepage

    Surely the main privacy issue is the site reading back what it wrote? So it should be:
    chmod -r ~/.macromedia
    Let it write all it wants.

  • Re:Old News (Score:4, Insightful)

    by NickFortune (613926) on Wednesday October 15, 2008 @07:35AM (#25380697) Homepage Journal

    My question has always been, are cookies even really that bad?

    That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.

    And who actually has time to poll through all that user data?

    Data mining programs do. Then people get to see whatever the programs flag up.

    So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care.

    Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.

    Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer