Slashdot Mirror
Flash Cookies, a Little-Known Privacy Threat
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.
Javascript + Nintendo DSi = DSiCade
I flashed my cookies once and did a weekend in the slammer.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
So much for 'privacy mode' browsing. Then again, who needs flash when you're in privacy mode, right?
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
This is super old news, yet another reason for Flashblock.
I want to delete my account but Slashdot doesn't allow it.
I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.
However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.
Of course, I also use NoScript and AdBlock... Yada yada.
I'm on the web for my benefit, not for the benefit of advertisers and other scum.
I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...
I wank in the shower.
"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.
I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.
My specific comment to this news article and your response is that third party objects always reduce security as they increase features and that is a constant and yes that is not new.
A slight side-note...
You must be new here. Welcome to Slashdot.org where you can get news of many varieties. Some is stale dated, some is duplicated but it's all kinda interesting to talk about and that is why most of us like it here.
Because even if the news is old, the discussion at Slashdot is always new! (well at least the higher rated discussions)
And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.
The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.
Screw them. I've got better things to do with my time then fuck around with websites that can't degrade gracefully.
I wank in the shower.
This is why I don't install flash on my machines.
Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.
Cheers
Lost at C:>. Found at C.
On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?
At least on a Mac, if you do a spotlight search for a site that uses Flash -- say, pandora.com -- you can find where these files are stored locally. There are two copies, one with a # in front and the other with just the site name. Be sure to delete both.
I did this and it seems to work: rm -r .macromedia
ln -s /dev/null ~/.macromedia
YMMV.
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
IIRC, on linux everything is stored in .macromedia/ in your home directory. So you can use whatever GUI file manager you want to go through them. I would bet Windows has something similar.
If you're really concerned about privacy, you can just empty the whole directory and then chmod -w it.
Or... a simple batchfile for neutering the little bastards completely. ... assuming they haven't changed anything.
Flashblock doesn't actually stop flash from running, it just stops it fast. Flash cookies can still be written.
Go to This site
1.) Go to Website Storage settings -> Delete all sites
2.) Go to Global Storage settings -> allow 0 kb of storage
3.) ????? 4.) Profit! (and/or continue going to porn sites...)
find the folder they are stored in: Windows: C:\Documents and Settings\[username]\Application Data\Macromedia\Flash Player Mac: /Users/[username]/Library/Preferences/Macromedia/Flash Player
Linux: ~/.macromedia
and delete the folder, then create a file with the folder's name, so it cant be created.
CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
Bloody mods, that's a joke.
"MY BEDPOST UP MY The above is far And she ran the numbers"
Good point...I couldn't agree more.
I, too, don't Took precedence marketing surveys to avoid so as to little-known that *BSD 0wned.
My debut novel AMITY now available: http://jeremydbrooks.c
Beer sites are a massive pain in the ass when it comes to requiring cookies. And JavaScript. And Flash.
Same with official sites of games, gaming companies, movies, etc... just about anything relating to entertainment. Even sites covering them are bad. I swear IGN deserves Guinness achievement award for having one of the absolute worst-designed, bloated and slow web sites on the face of the planet for so many years... and every time they change it, they make it worse. It's fucking disgusting, and it's massive corporate assholes like those who made AdBlock an essential tool for me and make me wish sites would go back to the way they were in the late 90s. Small, simple and fast (if you can get over the internet connection, that is... which, even then, was nothing compared to how slow IGN loads on my 2001-era computer now).
It would be nice if I could live peacefully without needing to use scripts of some sort (especially Flash) for the most retarded reasons. Until then, I use a combination of NoScript with my own nice little list of sites I want to add scripts and AdBlock Plus with Rick's EasyList. I messed around with CookieSafe/CS-Lite, but don't currently use it as it was a PITA to get it set up. I'm not sure which of the sites I visit actually *require* cookies, other than those I explicitly log in to and ask for it to save my login details.
Yes, I do that on Linux regularly.
Just add this to your crontab:
0 * * * * rm -rf ~/.macromedia ~/.adobe
(If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)
Use my userscript to add story images to Slashdot. There's no going back.
I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.
Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?
--
make install -not war
rm -r /Users/username/Library/Preferences/Macromedia/Flash\ Player/#SharedObjects/* /Users/username/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/*
rm -r
The same thing can apply to any browser-side storage : localStorage, globalStorage, userData, Google Gears and HTML5 database storage.
Purging those is not as easy as with cookies.
But they also have a lot of legitimate uses.
{{.sig}}
"by default" it enables average users to use nifty adobe player functionality. (my pizza store, by default now remembers me and the last time i was there! wicked! You can also choose max disk space for these cookies, you can also easily delete them, and you can easily stop them from being saved. I agree the access to this information isnâ(TM)t "easy". but this is far from being a security problem. I had to go through just as much clicks to get to my firefox cookie, as to get to the flash cookies. They also store only information they request. Which in some cases means saved games files (for flash games) This article, with its hefty boldening of sentences, makes this out to be an OMG! situation, when it's not. Just as firefox, by DEFAULT, enables cookies and javascript code. Why can't flash? This panel can also be accessed when using almost ANY flash application, through the right click context menu. Seriously, this feels like very little investigation of comparison. American style scare-mongering at it's finest IMHO.
Mod parent "OldManOnPorchWithShotgun"
Here's the user-unfriendly GUI for deleting them one at a time, each one requiring confirmation.
I clicked on delete all sites - it asked if I wanted to and every one of them was gone in two clicks.
echo "rm -rf ~/.macromedia" > ~/.kde/Autostart/wipeflashcookies.sh
problem solved
Okay, good, let's shut off another potentially useful feature because there's a fringe chance it can be used to remember who you are, which is Bad(tm) because then zomg Skynet. And better still, let's get rid of Flash entirely, AND be a smug dick about it, too. Brag about it constantly, just like how you don't own a TV.
From there, keep on bragging about how you don't use Javascript, either, and point to an edge case where a friend you knew was out browsing pr0n from his spam and now his entire identity has been erased. Keep pointing to it. Point HARDER. That should convince any sane individual to burn an effigy of the inventor of Javascript. Offer your diagrams to help them build such effigies.
Then all we'd need to do is get rid of images and multimedia, remove graphics from all computers, and before you know it, we'll finally have this "entertainment" flaw fixed. Then we can all get back to posting plaintext reviews of and arguments over Star Trek Battlestar Galactica episodes in peace. Goddamn progress.
Am I the only one who read the article title as "Flash Cookies, a Little-Known Privacy TREAT" and thought it was some kind of snack? .. maybe I should go get something to eat. Mmmm.. flash cookies.
cd ~ .macromedia .macromedia .macromedia
rm -rf
mkdir
chmod 000
# Has been working fine like this for a couple of months now.
kthxbai
All those shared data I see on my computer are fropm cnn, nbc, edios, ea, youtube, etc.... Maybe then again that is because I am NOT stupid enough to allow java or flash on a shady site...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"... all your cookies are belong to us..."
- the Cookie Monster.
Kind of odd how you have to go to there website to make that setting.
Then again, flash has always hidden its settings. I never understood why they didn't allow us to modify settings from a menu or submenu like the way adblock does.
Shouldn't that be Adobe Flash now?
... and then they built the supercollider.
# turn this shit off
rm -dfr ~/.macromedia/
rm ~/.mozilla/plugins/libflashplayer.so
# turn this shit on
cd /some/path/to/install_flash_player_9_linux/
. flashplayer-installer
# answer three stupid questions(with Enter, yes , no)
cd -
# now go to your favorite porn site, bonehead!
alternative: use w3m or lynx without risk :-)
ffs, there are plenty of irritating html sites as well...
I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)
flash != junk
people making junk with flash == junk
(and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)
If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)
If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.
Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.
And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...
So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.
Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.
You remind me of the Simpsons episode where Flanders shows off his satellite television. 1000 channels LOCKED OUT! he proudly exclaims.
Many if not most sites on the Internet load some kind of Add content from another place. Since they use the same server (more precisely domain) for that, the add server people can and will track you. Email sites also have advertisements therefore it's even possible to connect your ID with a name. I don't know whether that is done, but by the moral of google where data collection is always good an desirable as long as you don't get caught doing things with it, it probably is.
I saw it as Fresh Cookies.
CCleaner does a n ice job of keeping this intrusion,a nd others, under control.
Oye. Oye oye. Cookies. I hear so many arguments about cookies and privacy and such. I seriously want to know what's so BAD about this? I still don't get it. It's not like they're looking in your living room or bedroom. It's not like they're listening in on phone conversations. It's not like they're gaining your SSN or mother's maiden name or such.
Programatically a cookie that has any info that you might want to consider "private" won't need anything like a userid in every cookie. Just the ones that pertain to the user ID for help with logging in.
Cookies are only sent to the domain or website that pertains to them. Ads on a website get their own cookies, separate from the website's cookies. So ads know an anonymous person in general geographical area (based on IP) has seen or clicked on specific ads that were generated on specific sites.
Do you think these people have time to go into THAT kind of detail? They probably just compile stats and say "7% of our clicks to this ad came from this site and the highest percentages came from these towns".
God forbid I become a stat. Oh wait I already am probably.
Seriously though: I think many people need to calm down and not see cookies as a big brother thing or anything that's a serious threat. The only serious threat would be a browser bug or exploit that allows any site to receive/view any cookie that it's not supposed to see.
Pancakes. Oh I blew it.
I would say that I resemble that remark, but I upgraded to alpine earlier this year. MUAs aside, what matters isn't whether the technology is newer but whether it's better. Flash websites are worse than HTML ones in some important regards, such as ability to bookmark / link to specific pages within them. Oh, and you can't view them in lynx.
I visited a fishing gear site last week, and a few days later I was surprised to be served an ad on a non fishing site for fishing rods from the first site. I always delete my history etc., so I was curious to see from where this was served. I hovered over what I thought was an image used as a link, and nothing showed on the status bar, so I right clicked on it and saw it was an embedded flash player. That was when I started searching through the .macromedia directory and finding the .sol files. The bottom line... can Flash cookies be used to serve targeted ads? Yes they can. What else... who knows.
Did you pay a premium on your /. subscription to hide the * next to your name?
Repton.
They say that only an experienced wizard can do the tengu shuffle.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
"The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer."
Of course, you do have to take their word for it - but it doesn't appear as though a Flash app on Adobe's servers is reading that information in, itself; and presumably that means other Flash apps can't, either.
It's still very, very odd that it is displayed on their site, though - where's the config option in the plug-in / external app / whatever? I have to go online, and access Adbobe's site, in order to change settings? That's just plain weird.
Works great on a Mac. I've noticed no issues in using this for a few years.
#!/bin/tcsh
cd "${HOME}/Library/Preferences/Macromedia/Flash Player/"
foreach d ( macromedia.com/support/flashplayer/sys/* \#SharedObjects/*/* )
rm -rf "$d" && touch "$d" && chmod 400 "$d"
end
...Microsoft is preparing for the launch of Windows XP, which promises to be the most secure version of Windows yet.
Oh wait, that was 5 years ago too, wasn't it?
I made a post about how to use REAL cookies in flash.
Shared objects are still great for somethings, like UI preferences, game saves but real cookies should be used, it makes live easier with PHP too...
When a guy at Defcon gave a talk on this in August he even mentioned then that it was essentially old news. However, it is interesting that not everybody knows about this and that browsers can't just clear this data out more trivially.
"...today consumers have been conditioned to think of beer when they see a bullfrog..."
Hey, sounds like my kind of old man. Perhaps he can impart us with further wisdom? ;-)
This is where the ~why~ in technology is kind of important, much less bringing in the critical issues of security and compliance. Whether it's a more integrated cookie function specification like a better way of utilizing flash cookies being operated by private marketplaces and somehow, concurrently, have independent oversight by regulatory forces or it's the ad-hoc, free markets and buyer beware system we're stuck with now there's got to be a better way to run commerce.
I think when it comes to content using cookies there is the application layer stuff plus subscription technologies which are preferred to ad buys and I don't think it's the interface as much as it's the format that is imporant.
I think source-side .FLVs are good. Whether a streaming FLV file is obscured or the URL is open users at any rate should be able to 1) embed links to the video and 2) modify the pixel ratios with respect to their machine's memory. Generally I believe what browser is playing what media file and the physical/virtual location are what the flash cookies now store as retrievable data.
I looked for this file
C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects
Unfortunately, all I can find is things like "/home"
Maybe you can enlighten me as to what all that weird "C:" gobbledegook is that you are referencing here.
On my system a second copy is stored at
%USERPROFILE%\Application Data\Macromedia\macromedia.com\support\flashplayer\sys
So do a find on a single entry on you system to locate both caches, e.g., find #flash.quantserve.com.
The macromedia GUI only cleans the first directory's cache, leaving the second untouched.
You can manually delete them from both areas.
Instead of manually deleting them one by one, just do a rm -rf ~/.macromedia/
If you are super paranoid, you can disable it all together (as previous posters have mentioned), or just remove flash. Or for the more convenient way use noscript.
Who should I contact?
Is this a serious problem?
In (work mandated) Windows I create a file called "#SharedObjects" in the "%userprofile%/Application Data\Macromedia\Flash Player" directory and a file called "sys" in "Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer". These filenames are usually created as directories by flash under which is stored all the cookies etc from websites. By having a filename already existing the directory can't be created :-)
This stops any website saving flash data to my computer AFAICT.
HTH
Doing with out flash just removes a lot of banal subject matter from my view.
I have a spare machine with flash, for those rare sites that I must use that have flash (Dish network).
And Pine is new technology, I recently decided there might be something better that mailx.
>
Why "take" either one?
The flash players on the Colbert Report and The Daily Show sites require 1Mb for uninterrupted viewing. In fact, I think all of comedycentral.com has that requirement. I'm not sure what they do with that much memory(I dont trust Viacom). Its not mandatory, but they show an annoying prompt each time you load a new video, unless you agree to raise the limit from 100Kb to 1Mb.
No I dont want "Rich Media Experiences", I want information. Thats the problem right there.
rm -rf ~/.macromedia/Flash_Player/\#SharedObjects/* && chmod u-w ~/.macromedia/Flash_Player/\#SharedObjects/
WINDOWS-E to bring up explorer and navigate to:
Vista: Users//AppData/Roaming/Macromedia/Flash Player
XP: Documents and Settings//Application Data/Macromedia/Flash Player
Once there, delete everything.
The whole OS is a GUI. Learn how to use it.
Actually, I don't have a subscription. But if I did, I wouldn't need to pay extra to hide the fact. (There is an option that lets you hide it.)
Not to mention, I wrote "Slashdot" once in the post you replied to, and then once in the reply to my first post.
I wank in the shower.
That's handy, flash can deliver information as well.
Each to their own, though - I've got no problem with that. What's wrong is people blaming the platform, not how people (mis)use it.
You missed "RevLeft." So it should be "OldManOnPorchWithMolotov."
Mod parent "YoungNaiveFoolWho'sLaughingNowButJustYouWaitAndSee"
gnash 0.8.4 is the third beta release of the GNU Flash movie player. If you're not satisfied with Adobe Flash, you could check gnash out.
Global Storage Settings panel
And near the bottom, a link to the Global Privacy Settings panel
Been there, done that, paid for the T-shirt
and didn't get it
I want to know what this control panel isn't either part of flashplayer, or separately downloadable. I *REALLY* dislike having to go to their website to clean crap on my system....
mark
Of course we can blame Adobe for webcrap. Adobe don't market Flash to users, but to developers. As such, Adobe do not enable users to fully control the way Flash works. Why should I have to have NoScript, Adblock and FlashBlock installed, just to regain control over the way Flash behaves? If Adobe actually cared about the user experience, Flash would have these capabilities built-in, like per-site Flash activation and full control and notification of LSO's. However such features would make Flash less attractive to developers, which is why users need these extensions to protect themselves against Flash. The simple fact is, Adobe don't care about the users, as users don't pay licence fees.
I deleted all Flash cookies. Now The Daily Show plays without commercials! Whoo hoo! FYI: I see a poster above me wasn't able to load the video. I did approve the site's pop-up request one time at first. Now I get the show, without the commercials. No other pop-ups, either.