Forgot your password?
typodupeerror
Privacy Your Rights Online

Flash Cookies, a Little-Known Privacy Threat 225

Posted by kdawson
from the flashblock-considered-mandatory dept.
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
This discussion has been archived. No new comments can be posted.

Flash Cookies, a Little-Known Privacy Threat

Comments Filter:
  • Old News (Score:5, Informative)

    by AKAImBatman (238306) * <akaimbatmanNO@SPAMgmail.com> on Tuesday October 14, 2008 @02:44PM (#25372427) Homepage Journal

    1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.

    2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.

    3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.

    4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.

    5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.

    • Re:Old News (Score:5, Informative)

      by Sensible Clod (771142) <[ten.retrahc] [ta] [7-cd]> on Tuesday October 14, 2008 @02:53PM (#25372625) Homepage
      There used to be a Firefox extension for Local Shared Objects, called Objection [mozdev.org], and I used it back then, but it's not compatible with Firefox 3.
    • Welcome (Score:2, Interesting)

      by dolo666 (195584) *

      My specific comment to this news article and your response is that third party objects always reduce security as they increase features and that is a constant and yes that is not new.

      A slight side-note...

      You must be new here. Welcome to Slashdot.org where you can get news of many varieties. Some is stale dated, some is duplicated but it's all kinda interesting to talk about and that is why most of us like it here.

      Because even if the news is old, the discussion at Slashdot is always new! (well at least the h

    • All true.

      It will also force Flash to prompt you every time it wishes to save something to disk.

      Any idea why mine does it a dozen times for each request?

    • Re:Old News (Score:5, Informative)

      by Anonymous Coward on Tuesday October 14, 2008 @02:59PM (#25372723)

      1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.

      2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.

      3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.

      4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.

      5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.

      A bit more information...

      1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.

      2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.

      3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.

      4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.

      5 - Indeed.

      • Re:Old News (Score:4, Interesting)

        by TubeSteak (669689) on Tuesday October 14, 2008 @05:06PM (#25374485) Journal

        4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.

        One of the things I discovered a long time ago is that emptying a #SharedObjects subdirectory and setting it to read-only does not work.

        Now I just go through every once in a while and clear out the whole thing.

        • Re: (Score:3, Informative)

          by Rocky Mudbutt (22622)

          cd "\Documents and Settings\Application Data\Macromedia\Flash Player\"
          rmdir "#SharedObjects"
          ln -s nul "#SharedObjects"

          Oh you are running windows!? Works for me in cygwin bash.

        • by ThreeGigs (239452)

          You need to change the security permissions for that folder, and restrict all accounts, including the system account. Otherwise what happens is the system account just does what it wants to.

        • Now I just [...] every once in a while

          I'd like you to meet my friend, Cron. He likes meeting new people :)

      • 3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.

        Flashblock [mozdev.org]

      • Who should I contact?
        Is this a serious problem?

    • Re: (Score:3, Insightful)

      by gravis777 (123605)

      My question has always been, are cookies even really that bad? This may just be me, but I am not that concerned - unless a cookie for one site is actually tracking what I am DOING on another site - ie if Slashdot suddenly started tracking what I was doing at my bank. I may be totally ignorant here, but I did not think cookies worked that way. And who actually has time to poll through all that user data? I have a low-traffic website, and just for grins, I will go in sometimes and look at the server logs, but

      • Yeah they are harmless in most cases.
        There was a concern about cookies years ago and everyone was encouraged to turn them off which caused all kinds of problems.

        The biggest problem is that ad networks can see that you loaded a ad from them on site a and site b and can form patterns from that.

      • Re:Old News (Score:4, Insightful)

        by NickFortune (613926) on Wednesday October 15, 2008 @07:35AM (#25380697) Homepage Journal

        My question has always been, are cookies even really that bad?

        That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.

        And who actually has time to poll through all that user data?

        Data mining programs do. Then people get to see whatever the programs flag up.

        So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care.

        Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.

        Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.

    • Re: (Score:3, Funny)

      by marxmarv (30295)

      SQL database in the browser? Oh christ. It's like emacs all over again.

    • by discord5 (798235)

      5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.

      Oh great, more cruft to clog up browsers... I didn't know about this yet, thanks. This should prove to be some interesting reading.

    • by lpq (583377)

      You can also tell it to not prompt you -- just "Deny".

      Also you don't have to delete each, singly, there is a delete all...:-)

  • by MyLongNickName (822545) on Tuesday October 14, 2008 @02:49PM (#25372553) Journal

    I flashed my cookies once and did a weekend in the slammer.

  • by apathy maybe (922212) on Tuesday October 14, 2008 @02:52PM (#25372609) Homepage Journal

    I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.

    However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.

    Of course, I also use NoScript and AdBlock... Yada yada.

    I'm on the web for my benefit, not for the benefit of advertisers and other scum.

    I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...

    • Re: (Score:3, Interesting)

      by apathy maybe (922212)

      And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.

      The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.

      Screw them. I've got better

    • by Anonymous Coward on Tuesday October 14, 2008 @04:09PM (#25373729)

      Mod parent "OldManOnPorchWithShotgun"

    • by Repton (60818)

      Did you pay a premium on your /. subscription to hide the * next to your name?

  • Somewhat Misleading (Score:5, Informative)

    by Aeonite (263338) on Tuesday October 14, 2008 @02:53PM (#25372623) Homepage

    "Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."

    Except there's a button to delete them all at once.

  • by ajs (35943) <<moc.sja> <ta> <sja>> on Tuesday October 14, 2008 @02:54PM (#25372637) Homepage Journal

    Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.

    I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.

    • by fermion (181285)
      I begun to notice a little flash bug appear in the upper corner of my screen 6-12 months ago. I figure it was the same thing as the more generic 1X1 pixel picture bug. I think it maybe is a google thing. 90% of what flash is used for is ads and pr0n, so as critical as these are to our very existence, I don't envision a massive exodus from flash. Therefore flashback is the only solution, and a mozilla based browser maybe the most expedient option.

      In all earnestness, the only reason that flash is so popu

    • If you're paranoid like me, you'd install flashblock, adblock plus AND noscript.

      This combination not only saves you from clickjacking sites, but you're also allowed to choose which plugins and domains you want to load. Additionally, websites load much faster (due to no ads and/or flash) and youtube videos don't play automatically. Of course, this can be tuned to your preferences.

      • Is there a sensible reason to run Flashblock if you already use NoScript?

        • by enoz (1181117)

          Apparently Flashblock makes websites such as YouTube load much faster.

        • Is there a sensible reason to run Flashblock if you already use NoScript?

          Yes- sites where you want javascript enabled but don't want annoying flash ads consuming your CPU. Example: Blogger, wordpress, slashdot, digg, webcomics sites, news sites, etc. etc.

          • by RpiMatty (834853)

            NoScript Options -> Plugins Tab -> Check "Apply these restrictions to trusted sites too"

            This will let you whitelist sites for javascript, but prevent the flash or other plugins from loading by default.
            Then you are still able to click on the placeholder to play the desired flash object.
            No need to have Flashblock installed if you use this setup.

            • NoScript Options -> Plugins Tab -> Check "Apply these restrictions to trusted sites too"

              This will let you whitelist sites for javascript, but prevent the flash or other plugins from loading by default.
              Then you are still able to click on the placeholder to play the desired flash object.
              No need to have Flashblock installed if you use this setup.

              The problem is that "apply these restrictions" applies them as a whole, and doesn't let me have a fine-grained control over them.

    • by BenoitRen (998927)

      Or you could just not install the Flash plug-in. What, no YouTube? Just download the .flv files and play them in your video player. It's a much better use of resources.

  • And this ... (Score:5, Insightful)

    by gstoddart (321705) on Tuesday October 14, 2008 @03:01PM (#25372755) Homepage

    This is why I don't install flash on my machines.

    Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.

    Cheers

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it. I guess everyone has to make the decision to continue living life and embracing new technology or completely blocking it out and hoping it will go away. Websites that require flash aren't going to go away, folks: they are going to multiply. We shouldn't try to stop flash, or to ignore it, we should try to work toward

      • by nschubach (922175)

        At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it.

        I think you just described the Amish. (sort of)

      • Next I expect you'll want me to watch this "television" thing.

      • Re:And this ... (Score:5, Insightful)

        by Danny Rathjens (8471) <slashdot2.rathjens@org> on Tuesday October 14, 2008 @03:59PM (#25373589)
        Imagine if people said the same thing about windows and gave up on linux. We can do much better than proprietary junk like flash.
      • by UtucXul (658400)

        The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it.

        Hey, no need to be down on pine users. Some us of still use pine (or hopefully alpine) because we like how it works compared to other mail clients, not because we are stuck in the past. We use cvs because we are stuck in the past, but alpine/pine because we like it. And we even live in the modern world of html ema

      • Re:And this ... (Score:5, Insightful)

        by Hatta (162192) on Tuesday October 14, 2008 @05:12PM (#25374587) Journal

        Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.

        But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.

        And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.

        So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.

        p.s. pine still works great, what's your problem with it?

        • by colfer (619105)

          But Flash video just works. Other video does not. Hence, Youtube.

          And the player is a slim install. Compare Quicktime.

          I'm not saying I like the business model, but that is why the technology has succeeded.

        • I agree, with the exception of YouTube and sites like it.

          The problem is, most computers don't have appropriate codecs installed that play inside the browser. And even if there was H264/AAC on each and every modern computer, you couldn't expect them to display those videos in the browser window next to your content.

          Thus, the reasons for using Flash on YouTube are valid, since it comes with its own streaming codec and designers can make sure the stuff plays on every platform just fine.

      • The parent sounds like the people who still use pine for checking their email

        Well, I bet those people don't get many email virii.

      • I would say that I resemble that remark, but I upgraded to alpine earlier this year. MUAs aside, what matters isn't whether the technology is newer but whether it's better. Flash websites are worse than HTML ones in some important regards, such as ability to bookmark / link to specific pages within them. Oh, and you can't view them in lynx.
    • Re: (Score:2, Insightful)

      by Todd Fisher (680265)
      I'm [webkinz.com] guessing [nickjr.com] you [myepets.com] don't [playhousedisney.com] have [clubpenguin.com] kids [lego.com].
    • by mb1 (966747) on Tuesday October 14, 2008 @05:42PM (#25374985)

      ffs, there are plenty of irritating html sites as well...

      I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)

      flash != junk
      people making junk with flash == junk

      (and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)

      If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)

      If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.

      Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.

      And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...

      So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.

      Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.

      • by westyvw (653833)
        No I dont want "Rich Media Experiences", I want information. Thats the problem right there.
  • by BabyDave (575083) on Tuesday October 14, 2008 @03:01PM (#25372757)
    On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?
    • Yes, I do that on Linux regularly.

      Just add this to your crontab:

      0 * * * * rm -rf ~/.macromedia ~/.adobe

      (If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)

    • by Bob Ince (79199)

      Yes - and from 'macromedia.com' in the same folder. And in fact you *must* delete these files directly if you want to clear your browsing history. The browser's built in delete-history function will not do it.

      Even if you set Flash to never allow any storage for any domain(*), it still stores a pointless stub file for each domain in this folder, containing no information except for the side-effect of silently storing every domain you've visited with a Flash player in it.

      * - and if you do that, a bunch of Fla

  • Quick fix? (Score:2, Interesting)

    by elashish14 (1302231)
    I did this and it seems to work: rm -r .macromedia ln -s /dev/null ~/.macromedia YMMV.
  • by Anonymous Coward on Tuesday October 14, 2008 @03:03PM (#25372805)

    Or... a simple batchfile for neutering the little bastards completely. [elifulkerson.com] ... assuming they haven't changed anything.

  • by Craptastic Weasel (770572) on Tuesday October 14, 2008 @03:05PM (#25372829)
    Go to This site [macromedia.com]

    1.) Go to Website Storage settings -> Delete all sites

    2.) Go to Global Storage settings -> allow 0 kb of storage

    3.) ????? 4.) Profit! (and/or continue going to porn sites...)
    • All those shared data I see on my computer are fropm cnn, nbc, edios, ea, youtube, etc.... Maybe then again that is because I am NOT stupid enough to allow java or flash on a shady site...
      • Noscript is the reason I only have 3 websites listed, I'm guessing. It's amazing the amount of flash I find that I'm "missing", when I use some chump's computer. There really is a lot of garbage on a lot of websites.
  • by Doc Ruby (173196) on Tuesday October 14, 2008 @03:36PM (#25373251) Homepage Journal

    I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.

    Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?

    • Re: (Score:2, Informative)

      by Spamalope (91802)

      But how are properly functioning cookies any threat to privacy?

      If the cookies are set by a 3rd party who has linked content on many websites, that 3rd party can track your activity through all of those sites. If you visit a website that you've given your personal details (say, to buy something), then the website and 3rd party can share information about you. Now they both know who you are and what you do online.

      How do you feel about banner ads hosted by 3rd parties setting cookies on your computer now?

    • Re: (Score:2, Informative)

      Cross correlation is a huge problem, because sites do deals with each other to trade information. Advertisers, present on nearly every site get to save cookies that correlate where you have visited. They can then on-sell or match that information to that from other companies. Thus simply by browsing the web you are potentially creating a public profile available to anyone who wants to buy it. How would you feel if a future employer could purchase and review your browsing history and see a large subset o

  • The same thing can apply to any browser-side storage : localStorage, globalStorage, userData, Google Gears and HTML5 database storage.

    Purging those is not as easy as with cookies.

    But they also have a lot of legitimate uses.

    • by truedfx (802492)

      Are you talking about purging them for specific domains, or globally? For specific domains, I can imagine why it might be a problem (though I'm not aware of how any of them are stored on disk), but if you mean globally, is there any problem in removing the relevant directories, exactly as at least I would do for cookies? Surely none of them are stored in the same directory as (for example) the browser bookmarks?

      As for the legitimate uses, I suppose it depends on your viewing habits. There are not nearly eno

  • Here's the user-unfriendly GUI for deleting them one at a time, each one requiring confirmation.

    I clicked on delete all sites - it asked if I wanted to and every one of them was gone in two clicks.

  • "... all your cookies are belong to us..."

    - the Cookie Monster.

  • Macromedia? (Score:4, Interesting)

    by dangitman (862676) on Tuesday October 14, 2008 @04:46PM (#25374235)
    Shouldn't that be Adobe Flash now?
    • Re: (Score:3, Funny)

      by josath (460165)
      Give him a break, that acquisition was only announced three and a half years ago, he may not have heard about it yet. I mean, he's just now hearing about the "flash cookies" which have been around for like six years.
  • CCleaner [ccleaner.com] does a n ice job of keeping this intrusion,a nd others, under control.
  • When a guy at Defcon gave a talk on this in August he even mentioned then that it was essentially old news. However, it is interesting that not everybody knows about this and that browsers can't just clear this data out more trivially.

It's time to boot, do your boot ROMs know where your disk controllers are?

Working...