Slashdot Mirror
Flash Cookies, a Little-Known Privacy Threat
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.
Javascript + Nintendo DSi = DSiCade
"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?
Or... a simple batchfile for neutering the little bastards completely. ... assuming they haven't changed anything.
Er, a semicolon is helpful too: rm -r .macromedia;
ln -s /dev/null ~/.macromedia
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
Go to This site
1.) Go to Website Storage settings -> Delete all sites
2.) Go to Global Storage settings -> allow 0 kb of storage
3.) ????? 4.) Profit! (and/or continue going to porn sites...)
Yes, I do that on Linux regularly.
Just add this to your crontab:
0 * * * * rm -rf ~/.macromedia ~/.adobe
(If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)
Use my userscript to add story images to Slashdot. There's no going back.
Can you point to a source, please?
Because the front page of FlashBlocks site says something different:
Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.
(Emphasis taken from source)
What?
But how are properly functioning cookies any threat to privacy?
If the cookies are set by a 3rd party who has linked content on many websites, that 3rd party can track your activity through all of those sites. If you visit a website that you've given your personal details (say, to buy something), then the website and 3rd party can share information about you. Now they both know who you are and what you do online.
How do you feel about banner ads hosted by 3rd parties setting cookies on your computer now?
Cross correlation is a huge problem, because sites do deals with each other to trade information. Advertisers, present on nearly every site get to save cookies that correlate where you have visited. They can then on-sell or match that information to that from other companies. Thus simply by browsing the web you are potentially creating a public profile available to anyone who wants to buy it. How would you feel if a future employer could purchase and review your browsing history and see a large subset of the sites you visit on the internet when considering your job application? It's fast becoming a possibility.
The big problem with flash cookies is that they are out of the browser's control. At least with normal cookies there are indications and controls in the browser to allow you to know and control your privacy. However all these browser privacy features are made moot because flash completely ignores them, and enables it's cookies by default regardless of whatever preferences or settings you have set in the browser.
So - yes, flash is evil and yes, it's a problem.
I read about this sometime ago, so keep in mind that it may no longer be correct. As I understand it, Flashblock works by analyzing the DOM as it's loaded and anytime it sees Flash content it removes it and inserts its own Flashblock placeholder. What this means is that it is possible for Flash to execute before it is removed, however given the delay before the SWF in question is downloaded it's very unlikely that it would begin executing before Flashblock is able to remove it.
You and the GP AC are correct. Try running FlashBlock on a very slow PC and you'll see the first frame of the Flash application display... but this was witnessed by me over 6 months ago, I have not been back on my old, slow PC in a while.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.