Flash Cookies, a Little-Known Privacy Threat

← Back to Stories (view on slashdot.org)

Flash Cookies, a Little-Known Privacy Threat

Posted by kdawson on Tuesday October 14, 2008 @06:43AM from the flashblock-considered-mandatory dept.

Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.

13 of 225 comments (clear)

Min score:

Reason:

Sort:

Old News by AKAImBatman · 2008-10-14 06:44 · Score: 5, Informative

1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.

--
Javascript + Nintendo DSi = DSiCade
1. Re:Old News by Sensible+Clod · 2008-10-14 06:53 · Score: 5, Informative
  
  There used to be a Firefox extension for Local Shared Objects, called Objection, and I used it back then, but it's not compatible with Firefox 3.
  
  --
  
  The difference between spam and poop is that you don't have to dig through septic tanks looking for real food. -- Me
2. Re:Old News by Anonymous Coward · 2008-10-14 06:59 · Score: 5, Informative
  
  1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
  2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
  3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
  4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
  5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.
  A bit more information...
  1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.
  2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.
  3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
  4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
  5 - Indeed.
3. Re:Old News by anasciiman · 2008-10-14 07:34 · Score: 5, Informative
  
  I use Oblivion with Firefox 3.0.3 and it works fine.
  
  --
  Think of me when you shave your legs...
4. Re:Old News by 0232793 · 2008-10-14 08:02 · Score: 4, Informative
  
  I can't find this on Google, but I did find an experimental add-on BetterPrivacy https://addons.mozilla.org/en-US/firefox/addon/6623 that "protects from LSO Flash Objects"
5. Re:Old News by ScreamingCactus · 2008-10-14 08:53 · Score: 5, Informative
  
  There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.
  
  --
  The path to enlightenment is truly through homemade drugs!
6. Re:Old News by Rocky+Mudbutt · 2008-10-14 10:01 · Score: 3, Informative
  
  cd "\Documents and Settings\Application Data\Macromedia\Flash Player\"
  rmdir "#SharedObjects"
  ln -s nul "#SharedObjects"
  Oh you are running windows!? Works for me in cygwin bash.
  
  --
  Ethics II Axiom 2. "Man thinks." B. Spinoza
Somewhat Misleading by Aeonite · 2008-10-14 06:53 · Score: 5, Informative

"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Can you not just delete the files directly? by BabyDave · 2008-10-14 07:01 · Score: 5, Informative

On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?
disable completely with a batchfile by Anonymous Coward · 2008-10-14 07:03 · Score: 3, Informative

Or... a simple batchfile for neutering the little bastards completely. ... assuming they haven't changed anything.
Re:Quick fix? by elashish14 · 2008-10-14 07:04 · Score: 4, Informative

Er, a semicolon is helpful too: rm -r .macromedia; ln -s /dev/null ~/.macromedia

--
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
Easily fixed from the same site linked in TFA by Craptastic+Weasel · 2008-10-14 07:05 · Score: 5, Informative

Go to This site

1.) Go to Website Storage settings -> Delete all sites

2.) Go to Global Storage settings -> allow 0 kb of storage

3.) ????? 4.) Profit! (and/or continue going to porn sites...)
Re:Duh department by GuldKalle · 2008-10-14 08:21 · Score: 3, Informative

Can you point to a source, please?
Because the front page of FlashBlocks site says something different:

Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.
(Emphasis taken from source)

--
What?