Flash Cookies, a Little-Known Privacy Threat 225
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Old News (Score:5, Informative)
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
Re:Old News (Score:5, Informative)
Re:Old News (Score:5, Informative)
I use Oblivion with Firefox 3.0.3 and it works fine.
Re:Old News (Score:4, Informative)
Re:Old News (Score:5, Informative)
There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.
Re: (Score:2)
Someone has picked up the project and a new beta, which is compatible with FF3, is here [mozdev.org].
Welcome (Score:2, Interesting)
My specific comment to this news article and your response is that third party objects always reduce security as they increase features and that is a constant and yes that is not new.
A slight side-note...
You must be new here. Welcome to Slashdot.org where you can get news of many varieties. Some is stale dated, some is duplicated but it's all kinda interesting to talk about and that is why most of us like it here.
Because even if the news is old, the discussion at Slashdot is always new! (well at least the h
Re:Welcome (Score:5, Funny)
If you think I'm new here, you must be new here... ;-)
Re:Welcome (Score:5, Funny)
In geological terms, we're all new here.
Re: (Score:2, Funny)
Yes, and topologically, we're all donuts.
Re: (Score:2)
I have a pierced ears, so technically I'm not, but I still thought it was funny.
Re:Welcome (Score:5, Interesting)
In geological terms, "here" is new.
(Being pedantic, because I really am a geologist, for most values of "here" and most reasonable meanings of "new". If I were writing on the other coast of Scotland, then my here might be up to half the age of the Earth, which is stretching "new" a bit, but for over 95% of the country and far over 99% of the population, the rocks below are a lot less than a quarter of the age of the planet, which is "new" enough for me.)
Re: (Score:2)
Are you the same guy that used to drive Linux nerds mad on Linuxtoday or some site like that by sticking up for Windows and knocking Linux around 1999 / 2000 time?
Re: (Score:2)
All true.
It will also force Flash to prompt you every time it wishes to save something to disk.
Any idea why mine does it a dozen times for each request?
Re: (Score:2)
Actually, web developers hate you. We test specifically for your IP.
Re:Old News (Score:5, Informative)
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
A bit more information...
1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.
2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.
3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
5 - Indeed.
Re:Old News (Score:4, Interesting)
4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
One of the things I discovered a long time ago is that emptying a #SharedObjects subdirectory and setting it to read-only does not work.
Now I just go through every once in a while and clear out the whole thing.
Re: (Score:3, Informative)
cd "\Documents and Settings\Application Data\Macromedia\Flash Player\"
rmdir "#SharedObjects"
ln -s nul "#SharedObjects"
Oh you are running windows!? Works for me in cygwin bash.
Re: (Score:2)
You need to change the security permissions for that folder, and restrict all accounts, including the system account. Otherwise what happens is the system account just does what it wants to.
Re: (Score:2)
Now I just [...] every once in a while
I'd like you to meet my friend, Cron. He likes meeting new people :)
Re: (Score:3)
3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
Flashblock [mozdev.org]
I can't find my C: drive (Score:2, Funny)
Who should I contact?
Is this a serious problem?
Re: (Score:3, Insightful)
My question has always been, are cookies even really that bad? This may just be me, but I am not that concerned - unless a cookie for one site is actually tracking what I am DOING on another site - ie if Slashdot suddenly started tracking what I was doing at my bank. I may be totally ignorant here, but I did not think cookies worked that way. And who actually has time to poll through all that user data? I have a low-traffic website, and just for grins, I will go in sometimes and look at the server logs, but
Re: (Score:2)
Yeah they are harmless in most cases.
There was a concern about cookies years ago and everyone was encouraged to turn them off which caused all kinds of problems.
The biggest problem is that ad networks can see that you loaded a ad from them on site a and site b and can form patterns from that.
Re:Old News (Score:4, Insightful)
That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.
Data mining programs do. Then people get to see whatever the programs flag up.
Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.
Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.
Re: (Score:3, Funny)
SQL database in the browser? Oh christ. It's like emacs all over again.
Re: (Score:2)
5. If you're worried about this, just wait until you guys see the Storage APIs [whatwg.org] in HTML5. You're going to freak.
Oh great, more cruft to clog up browsers... I didn't know about this yet, thanks. This should prove to be some interesting reading.
Re: (Score:2)
You can also tell it to not prompt you -- just "Deny".
Also you don't have to delete each, singly, there is a delete all...:-)
Re: (Score:3, Interesting)
Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
Sounds a little ungrateful considering that many, many people didn't know about this and are now provided and easy way to view and delete these objects without rummaging through menus and settings. If you hate Flash that much then don't use it!
Re: (Score:2, Interesting)
Sounds a little ungrateful considering that many, many people didn't know about this and are now provided and easy way to view and delete these objects without rummaging through menus and settings. If you hate Flash that much then don't use it!
/agree
The "Delete all sites" button seemed to have worked pretty well too. The only thing is that I thought it was an image until I read the text under it stating that it wasn't, which is probably why the explanation was put there.
Re: (Score:2)
yeah. no mistakes anywhere. makes me wonder if it was canned. that is, the frist psoter is the submitter and/or coordinated something as an elaborate pro-Flash troll.
Flash cookies (Score:5, Funny)
I flashed my cookies once and did a weekend in the slammer.
Re:Flash cookies (Score:4, Funny)
Talk about a privacy threat!
Don't allow sites to store stuff on your machine. (Score:5, Interesting)
I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.
However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.
Of course, I also use NoScript and AdBlock... Yada yada.
I'm on the web for my benefit, not for the benefit of advertisers and other scum.
I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...
Re: (Score:3, Interesting)
And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.
The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.
Screw them. I've got better
Re:Don't allow sites to store stuff on your machin (Score:5, Funny)
Mod parent "OldManOnPorchWithShotgun"
Re: (Score:2)
Did you pay a premium on your /. subscription to hide the * next to your name?
Somewhat Misleading (Score:5, Informative)
"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Re: (Score:2)
Yeah, WTF slashdot?
-Taylor
Get Flashblock now. (Score:3, Insightful)
Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.
I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.
Re: (Score:2)
In all earnestness, the only reason that flash is so popu
Re: (Score:2)
If you're paranoid like me, you'd install flashblock, adblock plus AND noscript.
This combination not only saves you from clickjacking sites, but you're also allowed to choose which plugins and domains you want to load. Additionally, websites load much faster (due to no ads and/or flash) and youtube videos don't play automatically. Of course, this can be tuned to your preferences.
Re: (Score:2)
Is there a sensible reason to run Flashblock if you already use NoScript?
Re: (Score:2)
Apparently Flashblock makes websites such as YouTube load much faster.
Re: (Score:2)
Is there a sensible reason to run Flashblock if you already use NoScript?
Yes- sites where you want javascript enabled but don't want annoying flash ads consuming your CPU. Example: Blogger, wordpress, slashdot, digg, webcomics sites, news sites, etc. etc.
Re: (Score:2)
NoScript Options -> Plugins Tab -> Check "Apply these restrictions to trusted sites too"
This will let you whitelist sites for javascript, but prevent the flash or other plugins from loading by default.
Then you are still able to click on the placeholder to play the desired flash object.
No need to have Flashblock installed if you use this setup.
Re: (Score:2)
NoScript Options -> Plugins Tab -> Check "Apply these restrictions to trusted sites too"
This will let you whitelist sites for javascript, but prevent the flash or other plugins from loading by default.
Then you are still able to click on the placeholder to play the desired flash object.
No need to have Flashblock installed if you use this setup.
The problem is that "apply these restrictions" applies them as a whole, and doesn't let me have a fine-grained control over them.
Re: (Score:2)
Or you could just not install the Flash plug-in. What, no YouTube? Just download the .flv files and play them in your video player. It's a much better use of resources.
Re: (Score:2)
I'm almost certain that this is incorrect. I've had many systems that I've run Firefox on where I've clicked on the flashblock icon only to realize that I didn't have flash installed, and thus nothing happened.
To quote their site:
"Flashblock [...] blocks ALL Flash content from loading."
That's "from loading" not "from running more than an instant," so unless this is incorrect, and my experiences are somehow also misleading, I'm pretty sure you're wrong.
Re: (Score:3, Informative)
I read about this sometime ago, so keep in mind that it may no longer be correct. As I understand it, Flashblock works by analyzing the DOM as it's loaded and anytime it sees Flash content it removes it and inserts its own Flashblock placeholder. What this means is that it is possible for Flash to execute before it is removed, however given the delay before the SWF in question is downloaded it's very unlikely that it would begin executing before Flashblock is able to remove it.
Re: (Score:3, Informative)
And this ... (Score:5, Insightful)
This is why I don't install flash on my machines.
Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.
Cheers
Re: (Score:2, Insightful)
The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it. I guess everyone has to make the decision to continue living life and embracing new technology or completely blocking it out and hoping it will go away. Websites that require flash aren't going to go away, folks: they are going to multiply. We shouldn't try to stop flash, or to ignore it, we should try to work toward
Re: (Score:2)
At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it.
I think you just described the Amish. (sort of)
Re: (Score:2)
Next I expect you'll want me to watch this "television" thing.
Re:And this ... (Score:5, Insightful)
Re: (Score:2)
Hey, no need to be down on pine users. Some us of still use pine (or hopefully alpine) because we like how it works compared to other mail clients, not because we are stuck in the past. We use cvs because we are stuck in the past, but alpine/pine because we like it. And we even live in the modern world of html ema
Re:And this ... (Score:5, Insightful)
Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.
But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.
And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.
So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.
p.s. pine still works great, what's your problem with it?
Re: (Score:2)
But Flash video just works. Other video does not. Hence, Youtube.
And the player is a slim install. Compare Quicktime.
I'm not saying I like the business model, but that is why the technology has succeeded.
Re: (Score:2)
I agree, with the exception of YouTube and sites like it.
The problem is, most computers don't have appropriate codecs installed that play inside the browser. And even if there was H264/AAC on each and every modern computer, you couldn't expect them to display those videos in the browser window next to your content.
Thus, the reasons for using Flash on YouTube are valid, since it comes with its own streaming codec and designers can make sure the stuff plays on every platform just fine.
Re: (Score:2)
Well, I bet those people don't get many email virii.
Lynx ftw (Score:2)
Re: (Score:2)
I bet you'd only take Flash over Silverlight because that's what you already know. If you had any real programming skills and knowledge, you'd know why Silverlight is better.
And why is proprietary Adobe technology considered more "free" than proprietary Microsoft technology?
Because recently Adobe released the SWF specs, no strings attached. Now anyone can make their own flash player (AND composer) alternative. That doesn't make Adobe any less evil, but at least we'll know for certain that it's not illegal to make your own flash player.
Re: (Score:2)
Re: (Score:2, Insightful)
Re:And this ... *crap is technology agnostic* (Score:4, Insightful)
ffs, there are plenty of irritating html sites as well...
I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)
flash != junk
people making junk with flash == junk
(and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)
If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)
If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.
Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.
And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...
So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.
Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.
Re: (Score:2)
Re: (Score:2, Funny)
Photons are also used by Advertisers. Thats why I ripped my eyes out.
Re:And this ... (Score:5, Funny)
Re: (Score:2)
And I'm even better than you because I use an Apple computer, don't even own a TV, and only listen to indie music. You should smell my flowery farts!
I believe it, but only because you didn't specify what kind of flower [wikipedia.org].
Re: (Score:2, Insightful)
Can you not just delete the files directly? (Score:5, Informative)
To remove flash cache on Linux (Score:3, Informative)
Yes, I do that on Linux regularly.
Just add this to your crontab:
0 * * * * rm -rf ~/.macromedia ~/.adobe
(If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)
Re:To remove flash cache on Linux (Score:4, Insightful)
srm and shred aren't assured security if you're on a journaled filesystem. More importantly, if the Flash application is rooting through your filesystem looking for deleted data, "secure deletion" should be applied to Flash itself, not just its cache. That would be outrageous.
My point is that you're merely trying to delete cookies to prevent user tracking. Secure deletion on your physical disk is not needed unless you're looking at a very special kind of content. ... Using srm or shred here would be like running your newspaper through the shredder because you never know who might be looking for the smudge marks that indicate what you actually read.
Re: (Score:2)
Yes - and from 'macromedia.com' in the same folder. And in fact you *must* delete these files directly if you want to clear your browsing history. The browser's built in delete-history function will not do it.
Even if you set Flash to never allow any storage for any domain(*), it still stores a pointless stub file for each domain in this folder, containing no information except for the side-effect of silently storing every domain you've visited with a Flash player in it.
* - and if you do that, a bunch of Fla
Quick fix? (Score:2, Interesting)
Re:Quick fix? (Score:4, Informative)
Re: (Score:2)
Re: (Score:3, Insightful)
Surely the main privacy issue is the site reading back what it wrote? So it should be:
chmod -r ~/.macromedia
Let it write all it wants.
disable completely with a batchfile (Score:3, Informative)
Or... a simple batchfile for neutering the little bastards completely. [elifulkerson.com] ... assuming they haven't changed anything.
Easily fixed from the same site linked in TFA (Score:5, Informative)
1.) Go to Website Storage settings -> Delete all sites
2.) Go to Global Storage settings -> allow 0 kb of storage
3.) ????? 4.) Profit! (and/or continue going to porn sites...)
I visit a lot of porn site (Score:2)
Re: (Score:2)
How are Cookies "Privacy Threats"? (Score:5, Interesting)
I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.
Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?
Re: (Score:2, Informative)
But how are properly functioning cookies any threat to privacy?
If the cookies are set by a 3rd party who has linked content on many websites, that 3rd party can track your activity through all of those sites. If you visit a website that you've given your personal details (say, to buy something), then the website and 3rd party can share information about you. Now they both know who you are and what you do online.
How do you feel about banner ads hosted by 3rd parties setting cookies on your computer now?
Re: (Score:2, Informative)
Cross correlation is a huge problem, because sites do deals with each other to trade information. Advertisers, present on nearly every site get to save cookies that correlate where you have visited. They can then on-sell or match that information to that from other companies. Thus simply by browsing the web you are potentially creating a public profile available to anyone who wants to buy it. How would you feel if a future employer could purchase and review your browsing history and see a large subset o
Re: (Score:2)
But that inference isn't really a threat to "privacy". That site was a party to those other transactions. Why doesn't it have the right to recognize the other party to those transactions, when its own identity is firmly established?
Anonymity and privacy are linked, but separate. Their conflation into seeing cookies as "privacy threats" would really be dispelled if the browser had an icon for "you are maintaining a cookie for this site" (greyed out when you aren't), that is clickable to manage that cookie, i
Not only Flash SharedObjects... (Score:2)
The same thing can apply to any browser-side storage : localStorage, globalStorage, userData, Google Gears and HTML5 database storage.
Purging those is not as easy as with cookies.
But they also have a lot of legitimate uses.
Re: (Score:2)
Are you talking about purging them for specific domains, or globally? For specific domains, I can imagine why it might be a problem (though I'm not aware of how any of them are stored on disk), but if you mean globally, is there any problem in removing the relevant directories, exactly as at least I would do for cookies? Surely none of them are stored in the same directory as (for example) the browser bookmarks?
As for the legitimate uses, I suppose it depends on your viewing habits. There are not nearly eno
Reading confirmation ftw? (Score:2)
Here's the user-unfriendly GUI for deleting them one at a time, each one requiring confirmation.
I clicked on delete all sites - it asked if I wanted to and every one of them was gone in two clicks.
Flash Cookies, a Little-Known Privacy Treat... (Score:2, Insightful)
"... all your cookies are belong to us..."
- the Cookie Monster.
Macromedia? (Score:4, Interesting)
Re: (Score:3, Funny)
ccleaner (Score:2)
not only is this old news... (Score:2)
When a guy at Defcon gave a talk on this in August he even mentioned then that it was essentially old news. However, it is interesting that not everybody knows about this and that browsers can't just clear this data out more trivially.
Re: (Score:2, Insightful)
Flashblock does not prevent loading of flash programs. All it does is hide them from view (and sound). Use NoScript instead. Block all 3rd party scripts and enable all 1st party scripts.
Re:Duh department (Score:4, Informative)
Can you point to a source, please?
Because the front page of FlashBlocks site [mozdev.org] says something different:
Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.
(Emphasis taken from source)
Re:Duh department (Score:5, Interesting)
With Flashblock loaded and active, watching hidden the Macromedia directories, visiting a page with Flash objects created objects in the Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\sys directories, without running any of the visible Flash objects.
That would indicate to me that some part of Flash is being activated, despite the presence of Flashblock...
Re: (Score:3, Insightful)
So, tell me... How is it that a flash application available on-line (from adobe) is able to delete and assign space to those very elements? You are telling me that it is not, in turn, able to access those very items? And, if it can access those items, is this not a far worse security issue than browser cookies?
Just wondering.
Now, add to this (the configuration panel for flash storage being available on-line, accessible without the need of a password) to the actual (closed source) implementation of flash --
It's only local (well, so they say) (Score:2)
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html [macromedia.com]
"The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer."
Of course, you do have to take their word for it - but it doesn't appear as though a Flash app on Adobe's servers is reading that information in, itself; a