Flash Cookies, a Little-Known Privacy Threat 225
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Old News (Score:5, Informative)
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
Somewhat Misleading (Score:5, Informative)
"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Re:Old News (Score:5, Informative)
Re:Old News (Score:5, Informative)
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
A bit more information...
1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.
2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.
3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
5 - Indeed.
Can you not just delete the files directly? (Score:5, Informative)
disable completely with a batchfile (Score:3, Informative)
Or... a simple batchfile for neutering the little bastards completely. [elifulkerson.com] ... assuming they haven't changed anything.
Re:Quick fix? (Score:4, Informative)
Easily fixed from the same site linked in TFA (Score:5, Informative)
1.) Go to Website Storage settings -> Delete all sites
2.) Go to Global Storage settings -> allow 0 kb of storage
3.) ????? 4.) Profit! (and/or continue going to porn sites...)
To remove flash cache on Linux (Score:3, Informative)
Yes, I do that on Linux regularly.
Just add this to your crontab:
0 * * * * rm -rf ~/.macromedia ~/.adobe
(If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)
Re:Old News (Score:5, Informative)
I use Oblivion with Firefox 3.0.3 and it works fine.
Re:Old News (Score:4, Informative)
Re:Duh department (Score:4, Informative)
Can you point to a source, please?
Because the front page of FlashBlocks site [mozdev.org] says something different:
Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.
(Emphasis taken from source)
Re:Old News (Score:5, Informative)
There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.
Re:How are Cookies "Privacy Threats"? (Score:2, Informative)
But how are properly functioning cookies any threat to privacy?
If the cookies are set by a 3rd party who has linked content on many websites, that 3rd party can track your activity through all of those sites. If you visit a website that you've given your personal details (say, to buy something), then the website and 3rd party can share information about you. Now they both know who you are and what you do online.
How do you feel about banner ads hosted by 3rd parties setting cookies on your computer now?
Re:Old News (Score:3, Informative)
cd "\Documents and Settings\Application Data\Macromedia\Flash Player\"
rmdir "#SharedObjects"
ln -s nul "#SharedObjects"
Oh you are running windows!? Works for me in cygwin bash.
Re:How are Cookies "Privacy Threats"? (Score:2, Informative)
Cross correlation is a huge problem, because sites do deals with each other to trade information. Advertisers, present on nearly every site get to save cookies that correlate where you have visited. They can then on-sell or match that information to that from other companies. Thus simply by browsing the web you are potentially creating a public profile available to anyone who wants to buy it. How would you feel if a future employer could purchase and review your browsing history and see a large subset of the sites you visit on the internet when considering your job application? It's fast becoming a possibility.
The big problem with flash cookies is that they are out of the browser's control. At least with normal cookies there are indications and controls in the browser to allow you to know and control your privacy. However all these browser privacy features are made moot because flash completely ignores them, and enables it's cookies by default regardless of whatever preferences or settings you have set in the browser.
So - yes, flash is evil and yes, it's a problem.
Re:Flashblock will not protect you (Score:3, Informative)
I read about this sometime ago, so keep in mind that it may no longer be correct. As I understand it, Flashblock works by analyzing the DOM as it's loaded and anytime it sees Flash content it removes it and inserts its own Flashblock placeholder. What this means is that it is possible for Flash to execute before it is removed, however given the delay before the SWF in question is downloaded it's very unlikely that it would begin executing before Flashblock is able to remove it.
Re:Flashblock will not protect you (Score:3, Informative)