Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flash Cookies, a Little-Known Privacy Threat

Posted by kdawson on from the flashblock-considered-mandatory dept.

Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.

14 of 225 comments (clear)

  1. Get Flashblock now. by ajs · · Score: 2, Insightful

    Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.

    I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.

  2. And this ... by gstoddart · · Score: 4, Insightful

    This is why I don't install flash on my machines.

    Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.

    Cheers

    --
    Lost at C:>. Found at C.
    1. Re:And this ... by Anonymous Coward · · Score: 2, Insightful

      The parent sounds like the people who still use pine for checking their email. At some point, folks, the world is going to move on to new technology whether or not it is secure or you like it. I guess everyone has to make the decision to continue living life and embracing new technology or completely blocking it out and hoping it will go away. Websites that require flash aren't going to go away, folks: they are going to multiply. We shouldn't try to stop flash, or to ignore it, we should try to work toward helping them secure it. And I would take Flash over Silverlight any day-

    2. Re:And this ... by Todd+Fisher · · Score: 2, Insightful

      I'm guessing you don't have kids.

      --


      --I'm not talking about dance lessons. I'm talking about putting a brick through the other guy's windshield.-
    3. Re:And this ... by Danny+Rathjens · · Score: 4, Insightful

      Imagine if people said the same thing about windows and gave up on linux. We can do much better than proprietary junk like flash.

    4. Re:And this ... by bongomanaic · · Score: 2, Insightful

      It's also used by some of the best sites on the web, such as BBC iPlayer and Fora.tv because it is the only sensible way to deliver no-fuss cross-platform online video. It's also a lightweight and better looking alternative to java or ajax for all sorts of entertaining and educational applets. Non-assholes use flash too because it just works. Blocking all flash because it is sometimes used in ads is as sensible as blocking jpegs because they are sometimes used in ads. If the only flash you've come across is in ads then it is your taste is web sites, rather than flash, that is at fault.

    5. Re:And this ... by Hatta · · Score: 5, Insightful

      Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.

      But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.

      And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.

      So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.

      p.s. pine still works great, what's your problem with it?

      --
      Give me Classic Slashdot or give me death!
  3. Re:To remove flash cache on Linux by Khopesh · · Score: 3, Insightful

    srm and shred aren't assured security if you're on a journaled filesystem. More importantly, if the Flash application is rooting through your filesystem looking for deleted data, "secure deletion" should be applied to Flash itself, not just its cache. That would be outrageous.

    My point is that you're merely trying to delete cookies to prevent user tracking. Secure deletion on your physical disk is not needed unless you're looking at a very special kind of content. ... Using srm or shred here would be like running your newspaper through the shredder because you never know who might be looking for the smudge marks that indicate what you actually read.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  4. Re:Old News by gravis777 · · Score: 2, Insightful

    My question has always been, are cookies even really that bad? This may just be me, but I am not that concerned - unless a cookie for one site is actually tracking what I am DOING on another site - ie if Slashdot suddenly started tracking what I was doing at my bank. I may be totally ignorant here, but I did not think cookies worked that way. And who actually has time to poll through all that user data? I have a low-traffic website, and just for grins, I will go in sometimes and look at the server logs, but most of these is just kind of curiosity over what countries are visiting me. Sometimes I will look at the terms people typed into search engines to find me (this is not a cookie, just standard Apachee server logs), but that is about it. I do not have the time, nor the desire to look at mroe than that. In fact, I usually do nt have the time to look at even that.

    So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care. Of course, it could just be me being ignorant, but cookies are not what I am worried about. I am worried about other people going to Smiley Central or Living Screensavers or Coupon Toolbar or something than about cookies.

  5. Flash Cookies, a Little-Known Privacy Treat... by frito_x · · Score: 2, Insightful

    "... all your cookies are belong to us..."

    - the Cookie Monster.

  6. Re:scare-monger by ratboy666 · · Score: 2, Insightful

    So, tell me... How is it that a flash application available on-line (from adobe) is able to delete and assign space to those very elements? You are telling me that it is not, in turn, able to access those very items? And, if it can access those items, is this not a far worse security issue than browser cookies?

    Just wondering.

    Now, add to this (the configuration panel for flash storage being available on-line, accessible without the need of a password) to the actual (closed source) implementation of flash -- aren't alarm bells going off in your head?

    --
    Just another "Cubible(sic) Joe" 2 17 3061
  7. Re:And this ... *crap is technology agnostic* by mb1 · · Score: 4, Insightful

    ffs, there are plenty of irritating html sites as well...

    I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)

    flash != junk
    people making junk with flash == junk

    (and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)

    If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)

    If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.

    Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.

    And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...

    So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.

    Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.

  8. Re:Quick fix? by Keeper+Of+Keys · · Score: 2, Insightful

    Surely the main privacy issue is the site reading back what it wrote? So it should be:
    chmod -r ~/.macromedia
    Let it write all it wants.

  9. Re:Old News by NickFortune · · Score: 3, Insightful

    My question has always been, are cookies even really that bad?

    That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.

    And who actually has time to poll through all that user data?

    Data mining programs do. Then people get to see whatever the programs flag up.

    So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care.

    Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.

    Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.

    --
    Don't let THEM immanentize the Eschaton!