Forgot your password?
typodupeerror
Privacy Security Your Rights Online

Un-killable 'Evercookie' Killed ... Sometimes 186

Posted by CmdrTaco
from the use-silver-bullets dept.
Trailrunner7 writes "The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user's machine, known as the 'Evercookie,' is even more worrisome when used on mobile devices, according to another researcher's analysis. The Evercookie is a simple method for forcing a user's machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it. A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does."
This discussion has been archived. No new comments can be posted.

Un-killable 'Evercookie' Killed ... Sometimes

Comments Filter:
  • Evercookie is clever (Score:4, Informative)

    by Nichotin (794369) on Tuesday October 19, 2010 @06:30PM (#33954232)
    For forum administrators, it is a very clever way to keep many ban evaders out. While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again. Read the list of the places it stores its cookies, and be amazed how many there actually are. So, 1) ban user, 2) place cookie, 3) user signs up again, 4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).
    • by Anonymous Coward on Tuesday October 19, 2010 @06:34PM (#33954286)

      While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again.

      Didn't we used to call this kind of stuff "malware"? When did it become acceptable, no matter how annoying or unwanted the user is, to put something on their computer without their knowledge that is hard or near-impossible to remove?

      • Re: (Score:3, Interesting)

        by Yvan256 (722131)

        Malware is executable software. The evercookie isn't software, it's a simple marker.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Oh please. There are plenty of malicious sites that do unwanted things to your computer that don't leave an executable. It doesn't have to be "executable software" to be malware.

        • by tehdaemon (753808) on Tuesday October 19, 2010 @07:03PM (#33954596)
          Malmarker then? Maldata? Evilbytes? I suppose at some level pedantry about word definitions makes sense, so fine, don't call it malware. But it is in the same 'badness' class as most malware, and needs an equally bad name to go with it.

          T

          • by severoon (536737)
            Well, ok, it's just data, not software. But what ought we call the algorithm that nestles that data gently on the tip of a steel-toed boot and then forcefully plants that data squarely in your browser's brown-eye?
          • Re: (Score:3, Insightful)

            by davidbofinger (703269)
            It's not the same concept but "malcontent" deserves to be coined.
          • All that nasty browser plugin malware (mywebsearch/coolwebsearch) has been called malware from day one, and it isn't executable software...

        • by The Wild Norseman (1404891) <tw.norseman@gmail. c o m> on Tuesday October 19, 2010 @07:04PM (#33954608)

          Malware is executable software. The evercookie isn't software, it's a simple marker.

          The cookie resides on my hardware, doing something (tracking -- albeit doing something passively in this case) which I only wish to grant it for a limited amount of time. When the makers of this cookie make it extremely difficult to delete, which takes away the control I have over the data on my computer, then I see no practical difference between this passive cookie and active malware. Just MHO.

          • by Yvan256 (722131) on Tuesday October 19, 2010 @07:10PM (#33954668) Homepage Journal

            If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

            Next thing you know we have teachers who think Linux is a Windows program and that no computer can run without a Microsoft OS.

            • by CCarrot (1562079) on Tuesday October 19, 2010 @07:35PM (#33954918)

              If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

              Ordinary cookies don't actively fight removal by the user, and once they're gone, they're gone.

              Ordinary (non-malware) applications don't actively fight removal by the user, and once they're gone, they're gone (okay, other than some leftover user/config data sometimes, but the program itself is gone and no longer does what it was designed to do).

              The 'Evercookie', on the other hand, behaves exactly like malware in that it actively resists being deleted by the user, even to the point of rebuilding itself after deliberate removal attempts, and all for the benefit of a third party.

              • This.

                If I want to be tracked permanently by a website, I'll create an account and log in. They can trace me by logging my actions while logged in. Any site which tracks me without me logging in to an account had better let me delete their tracking cookie, or they'll very quickly lose my business.

                I do mean business, too. They're in the business of serving me advertisements. I'll not be looking at them if I stop visiting the site.
            • Re: (Score:3, Insightful)

              by waveclaw (43274)
              The Microsoft-is-the-computer idea is already well entrenched. You don't buy a computer anymore. You buy Windows or your buy a Mac.

              I bought a cheap, pre-built computer sitting in the font of a store to replace one of my (cheaper, older, dead) personal development servers. It had a Microsoft OS on it. I asked for the PC tech running the store to remove the OS and give me the price difference.

              His first reply was that PC's don't work without Windows.

              I told him I was going to just put Linux on it.

              Th

            • by bankman (136859)

              If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

              I know this one: Trojans [trojancondoms.com] prevent me from getting viruses [wikipedia.org]. So one is good and the other is bad, right?

            • Malware is an umbrella term that covers viruses, trojans and things like malevolent browser plugins and word processor macros (which are not executable software).

              Cookies (whether of the traditional, HTML5 or Flash kind) have been classified as "privacy risks" or something like that by many PC antivirus apps, which is a fair classification. Evercookies AT LEAST belong in this category - they're worse than any one of the technologies it exploits. Whether privacy risks should be classified as malware is open f

          • Next you'll whine that the website I created left some cached files on your computer.

          • by LoudMusic (199347)

            I think you misunderstand. This is just going to the trouble of using all methods that the client computer allows to uniquely identify the client computer in the future. It's not doing any haxy work to maliciously place markers. It's only doing things that the client PC is already set to allow.

        • Re: (Score:2, Insightful)

          by drcheap (1897540)

          Malware is executable software. The evercookie isn't software, it's a simple marker.

          And what puts that "simple marker" on your computer? Oh yeah, JavaScript, which last time I checked is executable software.

          • by ls671 (1122017) *

            Not directly, more precisely; javascript is 'indirectly' executed ("interpreted") by an interpreter program.

            I realize that I am picking on you a bit but still, I consider the precision worthy ;-)

        • by Firehed (942385) on Tuesday October 19, 2010 @07:39PM (#33954954) Homepage

          It's a fairly complex storage mechanism, designed to get around a user's preferences. In the wrong hands, it's very dangerous. I'd certainly call it closer to malware than, for example, the recent iPhone jailbreaks - which are so kind as to patch the security flaw that let the software run in the first place. Yet by your reasoning, jailbreaking is malware and evercookies are harmless. If you think that ad retargeting (ads that basically follow you around the web) is creepy, wait until they know with 100% certainty that you're a known user in some known demographic.

          • Wait until computers come preloaded from $Big_computer_manufacturer with your name in the evercookie and online advertisers link into databases to find out your income, address, if you're married, if you have kids, if you're republican or democrat, if you've got a pet, if you have a hunting/fishing/gun license, etc. They'll still send you ads for things you don't give a shit about, but if you don't start buying they'll slowly get creepier and creepier, and then the computer will tell you that it could repla
        • by KiloByte (825081)

          How do you store a marker on a computer without software? Does it leave a physical marker other than a magnetic charge on the disk?

          "Software" means a "string of bits", not a "program". This is the definition I was taught, and it is the most popular one.

          As for example the Wikipedia article [wikipedia.org] mentions, there is also a rare narrower definition which says what you meant. It has gained some popularity recently, but it suffers from being badly imprecise: what about PostScript? What about Perl's POD? What about

      • by pclminion (145572) on Tuesday October 19, 2010 @07:04PM (#33954612)

        Just put it in the ToS for the site that you use "advanced measures to track banned users." Presto, now you're not being underhanded about it, which is really the critical difference between malware and other forms of software.

        • by Firehed (942385) on Tuesday October 19, 2010 @07:41PM (#33954974) Homepage

          Putting something in the TOS to "not [be] underhanded" is, in itself, being underhanded. Or perhaps you're that one non-crawler in my server logs with the request to /about/terms, in which case I take that back.

      • It might have been malware (maldata?) if the guy had sold his work to unscrupulous companies. Instead, the researcher who developed the Evercookie has done us all a favor: he published exactly what Evercookie does. This makes everyone aware of the problem, and you can bet that browsers and add-ins will address the problem soon.

        Evercookie makes it clear that browsers need a central administration panel to manage all data that can be stored - directly or indirectly - by websites. I expect that the next majo

    • Re: (Score:3, Insightful)

      Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.

      • by MagicM (85041)

        I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things.

        You sound like a fascinating person and I would like to subscribe to your newsletter.

      • by _Sprocket_ (42527)

        Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :)

        I would suspect you represent a very small minority.

      • by couchslug (175151)

        "Not if they visit using a Live CD based OS."

        VMs aren't just for running "installed" operating systems. :)

        A live CD image boots nicely under QEMU and VirtualBox. Grab some .isos and enjoy.

        http://www.damnsmalllinux.org/ [damnsmalllinux.org] is small, light, and fast, but you can run Ubuntu and similar images.

        If you remaster your image with custom software, you can use it as easily as a premade .iso.

      • Re: (Score:3, Insightful)

        Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.

        Sooo... what's your point again? What percent of the population uses a LIveCD installation? And of that percentage, what further subset does so without any persistent storage (flash drive, etc) for user settings? (And if one person replies to me "I do, so there" [or its equivalent] , consider yourself virtually smacked for missing the point.)

        I'd say it's not broken until there's a less drastic means of evading it. If the only way to do so means - a) clearing history after every page and b) disabling c

    • by c0lo (1497653)

      4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).

      Good-bye posting from Internet cafe's from a guest account.

    • But ... don't they have to have the password to /root in order to do this?

      Oh, wait...

  • If only... (Score:5, Funny)

    by NoobixCube (1133473) on Tuesday October 19, 2010 @06:32PM (#33954262) Journal

    I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.

  • by al0ha (1262684) on Tuesday October 19, 2010 @06:35PM (#33954300) Journal
    A combination of FlashBlock and perhaps RequestPolicy, combined with caching set to 0 and a block on the ever cookie creator domain results in no ever cookies being successfully set on FF 3.6.10 on RHEL 5.4 - I'd venture to guess it will be the same for other OS running FF at least.

    If I don't block the domain cookie creation then just a standard cookie is created.
    • How does that prevent HTML5 local storage? How about the BrowserHistory storage? (e.g. domain/path/unique/1st-byte, domain/path/unique/2nd-byte, etc.) And CSS history storage? The most ingenious method is PNG RBG value storage! You block all images too?

      I use NoScript (but I still temp-allow the primary site, otherwise why browse at all), CookieMonster in whitelist-only mode, and BetterPrivacy to delete flash LSOs on startup and shutdown. This still does not prevent the Ever Cookie.

      Did anyone here read

  • by antifoidulus (807088) on Tuesday October 19, 2010 @06:35PM (#33954306) Homepage Journal
    Now that the Cookie Monster has gone all health food we cannot rely on him to help us out here.
  • It mentions mobile devices.. you could just use Skyfire and get flash without having to worry about flash evercookie issues since it's rendered remotely
  • Why Safari (Score:3, Interesting)

    by willoughby (1367773) on Tuesday October 19, 2010 @06:51PM (#33954478)
    I admit I didn't RTFA but why are they talking about Safari? Are other browsers immune? Is any browser immune?
    • by _Sprocket_ (42527)

      If you can't be bothered to RTFA, you likely can't be bothered reading an explanation.

    • Re: (Score:3, Interesting)

      by BUL2294 (1081735)
      For some reason, TFA only mentions Safari. No mention of IE (though Silverlight is mentioned) or Firefox, just Safari & Chrome. I don't know if that's because the author hasn't gotten around to testing Firefox or if it's immune--but Silverlight & Flash could be holes for FF.

      Frankly, I never trusted Google's ability to vet Apple's (Webkit) code for security holes... And I just don't trust Apple.

      And what the hell is "HTML5 database storage"--and why would I want to give any app persistent stora
      • by CODiNE (27417)

        And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...

        If you use gmail on an iPad in Safari when you log in for the first time with a username it'll as if you give permission to make a 10MB storage file on the device for that users email cache.

        It does this for every gmail account you log on with. If you accept, then the next time you go to gmail it loads the default view with the cache and then the new emails pop up

        • by Tacvek (948259)

          The database storage feature is an evolution of a feature originally found in Google Gears. The original purpose was to permit offline capable websites. For example, one could store several years worth of calendar data in a fairly small amount of space, so would it not be convenient to let Google calendar do that, and also request caching of itself such that you could visit it when offline and still see your calendar?

          Now, you might be one of those users who would say that is absurd, I will use my desktop ca

      • by Carewolf (581105)

        And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...

        The "HTML5" local storage idea is one of a few trojan horses embedded into HTML5. It is mostly ignored because no one actually is planning on implementing HTML5 in its entirety, but the pure evilness of the idea has made it one of the first that Safari has implemented, and yes: It is similar to cookies, only more powerful (so they more like hash brownies, really)

    • by pjt33 (739471)

      From reading the list of attacks I think Lynx should be, provided you tell it not to store the "normal" cookie.

    • by Gollum (35049)

      Dominic chose to start his efforts to remove the evercookie with Safari. Others have tried with Chrome and FF, etc. No browser is immune, although those that do not support HTML5, or flash are a lot better off.

  • by the_raptor (652941) on Tuesday October 19, 2010 @06:57PM (#33954540)

    With Adblock plus, NoScript and BetterPrivacy Firefox addons I had to whitelist the domain before "Evercookie" would even work. And even then as soon as I revoked permissions for everything except NoScript the only bit that stuck was the cache image "cookie". Considering there are already addons to prevent normal cookies and flash cookies it would take all of a day, after this method for "eternal cookies" appeared in the wild, for an addon to be released that blocked it.

    The only message from this and previous articles is "most people are stupid and don't follow basic steps to maintain their security and privacy".

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Because from what you just described as necessary to keep out these Evercookies, this isn't "basic steps". This is advanced knowledge of how cookies and browser technology work and interact. Four different browser specific addons should not be required to maintain privacy, and that is the point. People aren't stupid, they just don't know. Arrogance about it won't help.

    • by psyclone (187154)

      The problem with that method is that you still have to clear your entire cache (specifically PNG files and HTML5 local storage, though you can't pick and choose) AND browser history, even when using privacy enhancing extensions. Samy's method uses external sites for the browser history hack, but it could easily use the same domain.

      I'm one of the few that likes the 'awesome bar' and I rarely use bookmarks anymore as history serves my needs, and is quicker from the keyboard too. (Versus a hierarchy of bookma

    • It takes quite a bit of knowledge to know when to allow and forbid various forms of scripting and cookies, many legitimate websites require these to be functional. (Try blocking everything with Noscript and then use lots of mainstream sights). I don't think people should need to be expert to have privacy. One of the great advantages of advanced civilizations is that the allow people to specialize, there are just too many fields for a person to be expert in everything.

  • For Windows PCs.

    Install CCleaner. De-select the option to only remove files older than 24 hours. Flush all browser cache, temp files, and temp application items. Basically, select all except for the "Wipe Free Space" option. Reboot, run again to be sure.

    Evercookie should be nuked from orbit.

  • NeoPacman just need to take the red pill, and will be ready.
  • by DarkOx (621550) on Tuesday October 19, 2010 @09:43PM (#33955974) Journal

    Its reasons like this and others I no longer run my browser under my own user account. I have a separate account I run the browser as, actually two there is one I use just to access my bank, and give it permissions on my X server. It has no group memberships that will let it do anything other than read access to system binaries and libraries, basically its only a member of users. I than give my own user account permission to run the browser as the other user with sudo.

    This way I can delete the entire home directory from time to time, or anytime I suspect something fishy has happened.

    • by DarkOx (621550)

      replying to my own post--

        yes sometimes its a bit of a headache if I want to upload a file or anything I usually have to chmod it long enough to accomplish that and than put it back.

    • by PReDiToR (687141)
      You're not the only one doing this.

      I have several browsers and several accounts on my machine.

      Love Linux, hate malware.
    • by hAckz0r (989977)
      I'm not sure if you are using Linux or not (you say you have an X server), but if you are and have the right hardware you might want to look at Qubes-os.org. Each network application is made to run in its own Xen VM, with fast startup and a read only file system. Any persistence can be undone easily and reverted back to a good known state. You simply use one browser instance for banking and another for cruising the web, and neither instance can affect the other.

      btw - I used to do what you are suggesting

    • Re: (Score:2, Insightful)

      by notsinge (1925098)
      The user account you run your browser under makes no difference. This is about tracking you around the web. If you log into Google as your real identity, it sets a cookie (evercookie or otherwise), then every site you visit with adsense enabled marks your real identity down as having visited that site. You could be running your browser as whatever user you like in a chrooted Quebes VM all in a BSD jail and none of that will do a damn thing to stop this.
  • by Reziac (43301) * on Tuesday October 19, 2010 @11:53PM (#33956836) Homepage Journal

    Seems to me such stuff could be defeated (or at least rendered easily findable) if the browser is only allowed to write data to certain directories regardless of what some script might wish, unless the user actively specifies elsewhere (such as to save a download). Also seems to me this could be programmed into the browser so the user need not worry about it (indeed, would not need to even know about it).

    Someone will probably point out flaws in this scheme, but the concept is to make the "cure" as simple as possible.

  • I'm seeing a lot of sudden chatter about something called 'epoclick.com'. It seems to be some form of redirect. I've seen reports of it affecting Firefox and Chrome, in Windows and OS X. It sounds like an Evercookie to me. I really hope it's not a virus.
  • What happens when a site requires cookies to function properly (for session tracking and such) and the the EverCookies become corrupted? You can't just tell the user to "clear out their cookies" to solve the problem. You've just permanently broken your website on that computer unless you do allow a way for a user to remove them.

  • I just called the Cookie Monster, and let him deal with it.
  • can you modify this evercookie to do something interesting to the database that's accessing it? after all its on YOUR computer, and you don't want it. you tried to delete it, but it came back. seems to be fair game to make it do what YOU want.

  • I only browse with a virtual machine that is copied from a clean original every day ;)

Reference the NULL within NULL, it is the gateway to all wizardry.

Working...