Flash Cookies, a Little-Known Privacy Threat

Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.

Old News

[AKAImBatman]

1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.

2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.

3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.

4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.

5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.

Re:Old News

[Sensible+Clod]

There used to be a Firefox extension for Local Shared Objects, called Objection, and I used it back then, but it's not compatible with Firefox 3.

Re:Old News

1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.

2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.

3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.

4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.

5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.

A bit more information...

1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.

2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.

3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.

4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.

5 - Indeed.

Re:Old News

[anasciiman]

I use Oblivion with Firefox 3.0.3 and it works fine.

Re:Old News

[0232793]

I can't find this on Google, but I did find an experimental add-on BetterPrivacy https://addons.mozilla.org/en-US/firefox/addon/6623 that "protects from LSO Flash Objects"

Re:Old News

[ScreamingCactus]

There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.

Somewhat Misleading

[Aeonite]

"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."

Except there's a button to delete them all at once.

Can you not just delete the files directly?

[BabyDave]

On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?

Re:Quick fix?

[elashish14]

Er, a semicolon is helpful too: rm -r .macromedia; ln -s /dev/null ~/.macromedia

Easily fixed from the same site linked in TFA

[Craptastic+Weasel]

Go to This site

1.) Go to Website Storage settings -> Delete all sites

2.) Go to Global Storage settings -> allow 0 kb of storage

3.) ????? 4.) Profit! (and/or continue going to porn sites...)