Un-killable 'Evercookie' Killed ... Sometimes
186
Trailrunner7 writes "The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user's machine, known as the 'Evercookie,' is even more worrisome when used on mobile devices, according to another researcher's analysis. The Evercookie is a simple method for forcing a user's machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it. A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does."
Evercookie is clever (Score:4, Informative)
Re:Evercookie is clever (Score:5, Insightful)
While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again.
Didn't we used to call this kind of stuff "malware"? When did it become acceptable, no matter how annoying or unwanted the user is, to put something on their computer without their knowledge that is hard or near-impossible to remove?
Re: (Score:3, Interesting)
Malware is executable software. The evercookie isn't software, it's a simple marker.
Re: (Score:2, Interesting)
Oh please. There are plenty of malicious sites that do unwanted things to your computer that don't leave an executable. It doesn't have to be "executable software" to be malware.
Re:Evercookie is clever (Score:4, Insightful)
T
Re: (Score:2)
Re: (Score:3, Insightful)
Re: (Score:2)
All that nasty browser plugin malware (mywebsearch/coolwebsearch) has been called malware from day one, and it isn't executable software...
Re:Evercookie is clever (Score:5, Insightful)
Malware is executable software. The evercookie isn't software, it's a simple marker.
The cookie resides on my hardware, doing something (tracking -- albeit doing something passively in this case) which I only wish to grant it for a limited amount of time. When the makers of this cookie make it extremely difficult to delete, which takes away the control I have over the data on my computer, then I see no practical difference between this passive cookie and active malware. Just MHO.
Re:Evercookie is clever (Score:4, Interesting)
If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.
Next thing you know we have teachers who think Linux is a Windows program and that no computer can run without a Microsoft OS.
Re:Evercookie is clever (Score:4, Insightful)
If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.
Ordinary cookies don't actively fight removal by the user, and once they're gone, they're gone.
Ordinary (non-malware) applications don't actively fight removal by the user, and once they're gone, they're gone (okay, other than some leftover user/config data sometimes, but the program itself is gone and no longer does what it was designed to do).
The 'Evercookie', on the other hand, behaves exactly like malware in that it actively resists being deleted by the user, even to the point of rebuilding itself after deliberate removal attempts, and all for the benefit of a third party.
Re: (Score:2)
If I want to be tracked permanently by a website, I'll create an account and log in. They can trace me by logging my actions while logged in. Any site which tracks me without me logging in to an account had better let me delete their tracking cookie, or they'll very quickly lose my business.
I do mean business, too. They're in the business of serving me advertisements. I'll not be looking at them if I stop visiting the site.
Re: (Score:3, Insightful)
I bought a cheap, pre-built computer sitting in the font of a store to replace one of my (cheaper, older, dead) personal development servers. It had a Microsoft OS on it. I asked for the PC tech running the store to remove the OS and give me the price difference.
His first reply was that PC's don't work without Windows.
I told him I was going to just put Linux on it.
Th
Re: (Score:2)
If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.
I know this one: Trojans [trojancondoms.com] prevent me from getting viruses [wikipedia.org]. So one is good and the other is bad, right?
Re: (Score:2)
Malware is an umbrella term that covers viruses, trojans and things like malevolent browser plugins and word processor macros (which are not executable software).
Cookies (whether of the traditional, HTML5 or Flash kind) have been classified as "privacy risks" or something like that by many PC antivirus apps, which is a fair classification. Evercookies AT LEAST belong in this category - they're worse than any one of the technologies it exploits. Whether privacy risks should be classified as malware is open f
Re: (Score:2)
I know, I know, let's call it... Evercookie!
Re: (Score:2)
Next you'll whine that the website I created left some cached files on your computer.
Re: (Score:2)
I think you misunderstand. This is just going to the trouble of using all methods that the client computer allows to uniquely identify the client computer in the future. It's not doing any haxy work to maliciously place markers. It's only doing things that the client PC is already set to allow.
Re: (Score:2, Insightful)
Malware is executable software. The evercookie isn't software, it's a simple marker.
And what puts that "simple marker" on your computer? Oh yeah, JavaScript, which last time I checked is executable software.
Re: (Score:2)
Not directly, more precisely; javascript is 'indirectly' executed ("interpreted") by an interpreter program.
I realize that I am picking on you a bit but still, I consider the precision worthy ;-)
Re:Evercookie is clever (Score:5, Insightful)
It's a fairly complex storage mechanism, designed to get around a user's preferences. In the wrong hands, it's very dangerous. I'd certainly call it closer to malware than, for example, the recent iPhone jailbreaks - which are so kind as to patch the security flaw that let the software run in the first place. Yet by your reasoning, jailbreaking is malware and evercookies are harmless. If you think that ad retargeting (ads that basically follow you around the web) is creepy, wait until they know with 100% certainty that you're a known user in some known demographic.
Re: (Score:2)
Re: (Score:2)
How do you store a marker on a computer without software? Does it leave a physical marker other than a magnetic charge on the disk?
"Software" means a "string of bits", not a "program". This is the definition I was taught, and it is the most popular one.
As for example the Wikipedia article [wikipedia.org] mentions, there is also a rare narrower definition which says what you meant. It has gained some popularity recently, but it suffers from being badly imprecise: what about PostScript? What about Perl's POD? What about
Re:Evercookie is clever (Score:4, Interesting)
Just put it in the ToS for the site that you use "advanced measures to track banned users." Presto, now you're not being underhanded about it, which is really the critical difference between malware and other forms of software.
Re:Evercookie is clever (Score:4, Insightful)
Putting something in the TOS to "not [be] underhanded" is, in itself, being underhanded. Or perhaps you're that one non-crawler in my server logs with the request to /about/terms, in which case I take that back.
Re: (Score:2)
Yes, installing a cookie on a user's system after informing them that you will be doing so, is equivalent to waterboarding enemy combatants in secret holding facilities. Get real.
Re: (Score:2, Insightful)
Putting something in your Terms of Service isn't the same thing as informing the user, even if it's legally regarded to be so.
Evercookie does us all a favor (Score:3, Insightful)
It might have been malware (maldata?) if the guy had sold his work to unscrupulous companies. Instead, the researcher who developed the Evercookie has done us all a favor: he published exactly what Evercookie does. This makes everyone aware of the problem, and you can bet that browsers and add-ins will address the problem soon.
Evercookie makes it clear that browsers need a central administration panel to manage all data that can be stored - directly or indirectly - by websites. I expect that the next majo
Re: (Score:3, Insightful)
Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.
Re: (Score:2)
I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things.
You sound like a fascinating person and I would like to subscribe to your newsletter.
Re: (Score:2)
Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :)
I would suspect you represent a very small minority.
Re: (Score:2)
"Not if they visit using a Live CD based OS."
VMs aren't just for running "installed" operating systems. :)
A live CD image boots nicely under QEMU and VirtualBox. Grab some .isos and enjoy.
http://www.damnsmalllinux.org/ [damnsmalllinux.org] is small, light, and fast, but you can run Ubuntu and similar images.
If you remaster your image with custom software, you can use it as easily as a premade .iso.
Re: (Score:3, Insightful)
Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.
Sooo... what's your point again? What percent of the population uses a LIveCD installation? And of that percentage, what further subset does so without any persistent storage (flash drive, etc) for user settings? (And if one person replies to me "I do, so there" [or its equivalent] , consider yourself virtually smacked for missing the point.)
I'd say it's not broken until there's a less drastic means of evading it. If the only way to do so means - a) clearing history after every page and b) disabling c
Re: (Score:2)
4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).
Good-bye posting from Internet cafe's from a guest account.
Re: (Score:2)
Oh, wait...
If only... (Score:5, Funny)
I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.
Re: (Score:2)
So how does that work with Cookie Monster that eat up several cookies at once? Can it regrow if you eat it all up or do you necessarily have to have just a bite?
Re: (Score:2)
Imagine what happens if you try to eat the whole cookie at once.
Re:If only... (Score:4, Funny)
You shit cookies for the rest of your life?
+1 Funny (Score:2)
Ah, but for mod points...
Cheers,
Re: (Score:2)
It will obviously regrow as you digest it (giving you diabetes and making an average US citizen look thin in comparison to you).
Re: (Score:2)
I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.
Stay away from the one with blueberries in it.
Re: (Score:2)
Re: (Score:2)
Sounds so good, I wish I had two!
Well for Linux anyway (Score:5, Informative)
If I don't block the domain cookie creation then just a standard cookie is created.
That won't work (Score:2)
How does that prevent HTML5 local storage? How about the BrowserHistory storage? (e.g. domain/path/unique/1st-byte, domain/path/unique/2nd-byte, etc.) And CSS history storage? The most ingenious method is PNG RBG value storage! You block all images too?
I use NoScript (but I still temp-allow the primary site, otherwise why browse at all), CookieMonster in whitelist-only mode, and BetterPrivacy to delete flash LSOs on startup and shutdown. This still does not prevent the Ever Cookie.
Did anyone here read
cd ~; rm -rf .mozilla .macromedia - there, done. (Score:2)
Evercookies my arse.
Re:Well for Linux anyway (Score:4, Informative)
Make the folder ~/.macromedia read only. Works with Linux, but not in Windows.
I just tried it under linux.
When I made the empty ~/.macromedia directory read-only, the flash plugin consistently crashed.
So I made sure that Flash_Player sub-folder was created by the plugin first, deleted any cookie files and then did a recursive chmod -R a-w ~/.macromedia and it seems to work fine now.
Ufortunately (Score:4, Funny)
well, actually (Score:2)
Why Safari (Score:3, Interesting)
Re: (Score:2)
If you can't be bothered to RTFA, you likely can't be bothered reading an explanation.
Re: (Score:3, Interesting)
Frankly, I never trusted Google's ability to vet Apple's (Webkit) code for security holes... And I just don't trust Apple.
And what the hell is "HTML5 database storage"--and why would I want to give any app persistent stora
Re: (Score:2)
If you use gmail on an iPad in Safari when you log in for the first time with a username it'll as if you give permission to make a 10MB storage file on the device for that users email cache.
It does this for every gmail account you log on with. If you accept, then the next time you go to gmail it loads the default view with the cache and then the new emails pop up
Re: (Score:2)
The database storage feature is an evolution of a feature originally found in Google Gears. The original purpose was to permit offline capable websites. For example, one could store several years worth of calendar data in a fairly small amount of space, so would it not be convenient to let Google calendar do that, and also request caching of itself such that you could visit it when offline and still see your calendar?
Now, you might be one of those users who would say that is absurd, I will use my desktop ca
Re: (Score:2)
The "HTML5" local storage idea is one of a few trojan horses embedded into HTML5. It is mostly ignored because no one actually is planning on implementing HTML5 in its entirety, but the pure evilness of the idea has made it one of the first that Safari has implemented, and yes: It is similar to cookies, only more powerful (so they more like hash brownies, really)
Lynx (Score:2)
From reading the list of attacks I think Lynx should be, provided you tell it not to store the "normal" cookie.
Re: (Score:2)
Dominic chose to start his efforts to remove the evercookie with Safari. Others have tried with Chrome and FF, etc. No browser is immune, although those that do not support HTML5, or flash are a lot better off.
Evercookie = Nevercookie (Score:4, Interesting)
With Adblock plus, NoScript and BetterPrivacy Firefox addons I had to whitelist the domain before "Evercookie" would even work. And even then as soon as I revoked permissions for everything except NoScript the only bit that stuck was the cache image "cookie". Considering there are already addons to prevent normal cookies and flash cookies it would take all of a day, after this method for "eternal cookies" appeared in the wild, for an addon to be released that blocked it.
The only message from this and previous articles is "most people are stupid and don't follow basic steps to maintain their security and privacy".
Re: (Score:2, Interesting)
Because from what you just described as necessary to keep out these Evercookies, this isn't "basic steps". This is advanced knowledge of how cookies and browser technology work and interact. Four different browser specific addons should not be required to maintain privacy, and that is the point. People aren't stupid, they just don't know. Arrogance about it won't help.
Re: (Score:2)
The problem with that method is that you still have to clear your entire cache (specifically PNG files and HTML5 local storage, though you can't pick and choose) AND browser history, even when using privacy enhancing extensions. Samy's method uses external sites for the browser history hack, but it could easily use the same domain.
I'm one of the few that likes the 'awesome bar' and I rarely use bookmarks anymore as history serves my needs, and is quicker from the keyboard too. (Versus a hierarchy of bookma
Re: (Score:2)
It takes quite a bit of knowledge to know when to allow and forbid various forms of scripting and cookies, many legitimate websites require these to be functional. (Try blocking everything with Noscript and then use lots of mainstream sights). I don't think people should need to be expert to have privacy. One of the great advantages of advanced civilizations is that the allow people to specialize, there are just too many fields for a person to be expert in everything.
Re: (Score:2)
Re: (Score:2)
"Wipe free space" is pretty nice too (though not for every run).
Run it overnight once a week. :)
Not so hard... (Score:2)
Why I dont run my browser as me anymore (Score:4, Interesting)
Its reasons like this and others I no longer run my browser under my own user account. I have a separate account I run the browser as, actually two there is one I use just to access my bank, and give it permissions on my X server. It has no group memberships that will let it do anything other than read access to system binaries and libraries, basically its only a member of users. I than give my own user account permission to run the browser as the other user with sudo.
This way I can delete the entire home directory from time to time, or anytime I suspect something fishy has happened.
Re: (Score:2)
replying to my own post--
yes sometimes its a bit of a headache if I want to upload a file or anything I usually have to chmod it long enough to accomplish that and than put it back.
Re: (Score:2)
I have several browsers and several accounts on my machine.
Love Linux, hate malware.
Re: (Score:2)
btw - I used to do what you are suggesting
Re: (Score:2, Insightful)
Restrict write permissions in the browser? (Score:3, Insightful)
Seems to me such stuff could be defeated (or at least rendered easily findable) if the browser is only allowed to write data to certain directories regardless of what some script might wish, unless the user actively specifies elsewhere (such as to save a download). Also seems to me this could be programmed into the browser so the user need not worry about it (indeed, would not need to even know about it).
Someone will probably point out flaws in this scheme, but the concept is to make the "cure" as simple as possible.
Is this an Evercookie? (Score:2)
What about corruption? (Score:2)
What happens when a site requires cookies to function properly (for session tracking and such) and the the EverCookies become corrupted? You can't just tell the user to "clear out their cookies" to solve the problem. You've just permanently broken your website on that computer unless you do allow a way for a user to remove them.
I killed the evercookie,it was easy (Score:2)
turn the tables (Score:2)
can you modify this evercookie to do something interesting to the database that's accessing it? after all its on YOUR computer, and you don't want it. you tried to delete it, but it came back. seems to be fair game to make it do what YOU want.
FYI (Score:2)
Malware (also: scumware), short for malicious software, is software designed to secretly access a computer system without the owner's informed consent. [wikipedia.org]
Solution (Score:2)
I only browse with a virtual machine that is copied from a clean original every day ;)
Re:Solution: (Score:5, Insightful)
That's not the solution. The whole point of the "evercookie" is that it doesn't just use regular HTTP cookies to store information, but also abuses all kinds of common browser features related to CSS, caching, embedded Flash objects and anything else that can be exploited to store state. If all he did was store a cookie only, then any browser worth its salt could easily purge it from the browser history.
So even if you just block cookies, that doesn't prevent this hack to work. You may need to block a whole range of features from JavaScript to HTTP caching to Flash support. It's certainly possible, but not something that an average user is prepared to do.
Re: (Score:2)
Even I'm not prepared to do that and I don't consider myself average (nor above average, but whatever).
Re: (Score:2)
You are right. I see above-average as being those over-achieving wizards of computing. I am no wizard, but nor am I Joe Schmoe using a computer only occasionally.
Fun for Tinfoil Hat Wearers and Spooks (Score:2)
Re: (Score:3, Informative)
Don't accept cookies.
No, not a solution. RTFA. It doesn't matter whether you accept cookies or not. The only two methods of protection are (a) use Safari in private browsing mode, and quit and restart the browser between each and every site; or (b) block absolutely all javascript everywhere without any exception ever. Neither of these is really satisfactory.
Plus, these evercookies transfer from one browser to another because they get stored as LSOs.
Re: (Score:2)
That is pretty nasty.
Did anyone test FF or Chrome private browsing mode? (and no, I won't RTFA, who wants to risk a cookie like that?)
Re: (Score:2)
Some strange "law enforcement" junk ad banner on a site of interest could be very useful.
Who would give it a second thought or think to do some deep clean.
One visit via a spammed link in a dark forum, chatroom and you track yourself with your own hardware.
Re: (Score:2)
I just tested Chrome's private browsing mode. The "cookie" was set, but did not survive when the session was closed. The most likely way for the cookie to survive a private browsing mode is though Flash's Local Stored Object feature. I've not checked with firefox.
Re: (Score:2)
I'm hoping CCleaner will still get it, then.
Re: (Score:2)
What about this extension? [mozilla.org]
Re: (Score:2)
Nevermind. Been reading up... damn these things are vile...
So we need a browser that runs in its own sandbox and disables a ton of standard user features.
Advertiser scum.
Re: (Score:2)
No, you just need a browser that runs in a sandbox that saves NOTHING between runs of the exe. Someone in an earlier story on the evercookie suggested running in a VM, then destroying the VM and creating a new clone. All it would require the user to do is remember their passwords.
Re: (Score:2)
It would make actually downloading anything that you might want to download into a colossal hassle, though, so that's not really a solution.
Re: (Score:2)
That's actually pretty easy to do. I recommend booting a BackTrack4 LiveCD in a VM, it comes with Firefox with NoScript and Flash installed right out of the box. If you want to download something and you're really paranoid, save it to a shared-device USB stick (closed-source VirtualBox or VMware required).
Re: (Score:3, Insightful)
Don't accept cookies.
Also use Links2. (Links is crap, of course. ANd only losers use lynx...)
Back in the real world, some of us do actually want to use the web for doing more than viewing static HTML pages. One or two of us even appreciate those awful persistent logins that cookies enable...
Re: (Score:2)
I use persistent cookies myself, but when I decide to clear them all out, I like knowing they are all cleared out. I no longer have that assurance (or option).
Re: (Score:2)
And do not run flash.
I find sandboxie does a fantastic job of killing the evercookie every single time. Are CS professors lacking in education lately?
If your browser runs in a sandbox that is destroyed when you exit the browser, the evercookie cant live... No way no how.
Re: (Score:2)
> Don't accept cookies.
RTFA
Re: (Score:2)
nice way to be redundant.
Re: (Score:2)
It's not racism, just a lame joke.
Re: (Score:2)
lol
Re: (Score:2)
Exactly. We need to prevent the storage in the first place, just like CookieMonster does in whitelist-mode, not clean it up later.
Re: (Score:2)
Removing the cookie is not enough remove an ever-"cookie", it is not just a cookie, it is similar to cookie, but has multiple ways of storing itself, and if you remove the cookie part it will just recreate it based on one it's many other methods of storing user-data. The reason it is getting so much attention, is because it is really hard to get rid off, and you haven't even come close yet.
Private browsing, using a browser without the stupid HTML5 data-storage spec, disabling all caching, disabling flash, a