Slashdot Mirror
Flash Cookies, a Little-Known Privacy Threat
Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.
1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.
Javascript + Nintendo DSi = DSiCade
I flashed my cookies once and did a weekend in the slammer.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
So much for 'privacy mode' browsing. Then again, who needs flash when you're in privacy mode, right?
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
This is super old news, yet another reason for Flashblock.
I want to delete my account but Slashdot doesn't allow it.
I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.
However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.
Of course, I also use NoScript and AdBlock... Yada yada.
I'm on the web for my benefit, not for the benefit of advertisers and other scum.
I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...
I wank in the shower.
"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Seriously, get flashblock from the Firefox addons site. You need it. Badly. The number of sites with the equivalent of the pixel.gif tracking or the Google Analytics type JavaScript tracking, but as a small Flash plugin are growing astronomically, and Adobe has no reason to favor your privacy over their customer's demands. These little apps aren't there to serve your needs or improve you're browsing experience, and they just should never run. If you want to run a Flash app, that's fine: click on it to run it.
I use Flashblock and I've been watching Hulu and YouTube and enjoying all sorts of sites that use Flash. I'm also instantly aware of any site that's too lazy to present a standard Web page when I see a giant "click to run" button over the whole page, and I find another site. This is part of the process, and is an important way that neophyte Web developers learn that they can't just throw up Flash and not worry about Web standards.
My specific comment to this news article and your response is that third party objects always reduce security as they increase features and that is a constant and yes that is not new.
A slight side-note...
You must be new here. Welcome to Slashdot.org where you can get news of many varieties. Some is stale dated, some is duplicated but it's all kinda interesting to talk about and that is why most of us like it here.
Because even if the news is old, the discussion at Slashdot is always new! (well at least the higher rated discussions)
And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.
The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.
Screw them. I've got better things to do with my time then fuck around with websites that can't degrade gracefully.
I wank in the shower.
This is why I don't install flash on my machines.
Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.
Cheers
Lost at C:>. Found at C.
On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?
I did this and it seems to work: rm -r .macromedia
ln -s /dev/null ~/.macromedia
YMMV.
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
Or... a simple batchfile for neutering the little bastards completely. ... assuming they haven't changed anything.
Go to This site
1.) Go to Website Storage settings -> Delete all sites
2.) Go to Global Storage settings -> allow 0 kb of storage
3.) ????? 4.) Profit! (and/or continue going to porn sites...)
find the folder they are stored in: Windows: C:\Documents and Settings\[username]\Application Data\Macromedia\Flash Player Mac: /Users/[username]/Library/Preferences/Macromedia/Flash Player
Linux: ~/.macromedia
and delete the folder, then create a file with the folder's name, so it cant be created.
CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
even if you are correct (i dont know if you are or not) then using noscript would stop flash before it loaded
Yes, I do that on Linux regularly.
Just add this to your crontab:
0 * * * * rm -rf ~/.macromedia ~/.adobe
(If you actually use their other products, you might want to be more specific, like ~/.adobe/Flash_Player)
Use my userscript to add story images to Slashdot. There's no going back.
I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.
Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?
--
make install -not war
rm -r /Users/username/Library/Preferences/Macromedia/Flash\ Player/#SharedObjects/* /Users/username/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/*
rm -r
The same thing can apply to any browser-side storage : localStorage, globalStorage, userData, Google Gears and HTML5 database storage.
Purging those is not as easy as with cookies.
But they also have a lot of legitimate uses.
{{.sig}}
"by default" it enables average users to use nifty adobe player functionality. (my pizza store, by default now remembers me and the last time i was there! wicked! You can also choose max disk space for these cookies, you can also easily delete them, and you can easily stop them from being saved. I agree the access to this information isnâ(TM)t "easy". but this is far from being a security problem. I had to go through just as much clicks to get to my firefox cookie, as to get to the flash cookies. They also store only information they request. Which in some cases means saved games files (for flash games) This article, with its hefty boldening of sentences, makes this out to be an OMG! situation, when it's not. Just as firefox, by DEFAULT, enables cookies and javascript code. Why can't flash? This panel can also be accessed when using almost ANY flash application, through the right click context menu. Seriously, this feels like very little investigation of comparison. American style scare-mongering at it's finest IMHO.
Mod parent "OldManOnPorchWithShotgun"
Here's the user-unfriendly GUI for deleting them one at a time, each one requiring confirmation.
I clicked on delete all sites - it asked if I wanted to and every one of them was gone in two clicks.
All those shared data I see on my computer are fropm cnn, nbc, edios, ea, youtube, etc.... Maybe then again that is because I am NOT stupid enough to allow java or flash on a shady site...
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
"... all your cookies are belong to us..."
- the Cookie Monster.
Shouldn't that be Adobe Flash now?
... and then they built the supercollider.
ffs, there are plenty of irritating html sites as well...
I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)
flash != junk
people making junk with flash == junk
(and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)
If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)
If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.
Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.
And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...
So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.
Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.
CCleaner does a n ice job of keeping this intrusion,a nd others, under control.
Oye. Oye oye. Cookies. I hear so many arguments about cookies and privacy and such. I seriously want to know what's so BAD about this? I still don't get it. It's not like they're looking in your living room or bedroom. It's not like they're listening in on phone conversations. It's not like they're gaining your SSN or mother's maiden name or such.
Programatically a cookie that has any info that you might want to consider "private" won't need anything like a userid in every cookie. Just the ones that pertain to the user ID for help with logging in.
Cookies are only sent to the domain or website that pertains to them. Ads on a website get their own cookies, separate from the website's cookies. So ads know an anonymous person in general geographical area (based on IP) has seen or clicked on specific ads that were generated on specific sites.
Do you think these people have time to go into THAT kind of detail? They probably just compile stats and say "7% of our clicks to this ad came from this site and the highest percentages came from these towns".
God forbid I become a stat. Oh wait I already am probably.
Seriously though: I think many people need to calm down and not see cookies as a big brother thing or anything that's a serious threat. The only serious threat would be a browser bug or exploit that allows any site to receive/view any cookie that it's not supposed to see.
Pancakes. Oh I blew it.
I would say that I resemble that remark, but I upgraded to alpine earlier this year. MUAs aside, what matters isn't whether the technology is newer but whether it's better. Flash websites are worse than HTML ones in some important regards, such as ability to bookmark / link to specific pages within them. Oh, and you can't view them in lynx.
I'm almost certain that this is incorrect. I've had many systems that I've run Firefox on where I've clicked on the flashblock icon only to realize that I didn't have flash installed, and thus nothing happened.
To quote their site:
"Flashblock [...] blocks ALL Flash content from loading."
That's "from loading" not "from running more than an instant," so unless this is incorrect, and my experiences are somehow also misleading, I'm pretty sure you're wrong.
I visited a fishing gear site last week, and a few days later I was surprised to be served an ad on a non fishing site for fishing rods from the first site. I always delete my history etc., so I was curious to see from where this was served. I hovered over what I thought was an image used as a link, and nothing showed on the status bar, so I right clicked on it and saw it was an embedded flash player. That was when I started searching through the .macromedia directory and finding the .sol files. The bottom line... can Flash cookies be used to serve targeted ads? Yes they can. What else... who knows.
Did you pay a premium on your /. subscription to hide the * next to your name?
Repton.
They say that only an experienced wizard can do the tengu shuffle.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html
"The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer."
Of course, you do have to take their word for it - but it doesn't appear as though a Flash app on Adobe's servers is reading that information in, itself; and presumably that means other Flash apps can't, either.
It's still very, very odd that it is displayed on their site, though - where's the config option in the plug-in / external app / whatever? I have to go online, and access Adbobe's site, in order to change settings? That's just plain weird.
When a guy at Defcon gave a talk on this in August he even mentioned then that it was essentially old news. However, it is interesting that not everybody knows about this and that browsers can't just clear this data out more trivially.
"...today consumers have been conditioned to think of beer when they see a bullfrog..."
This is where the ~why~ in technology is kind of important, much less bringing in the critical issues of security and compliance. Whether it's a more integrated cookie function specification like a better way of utilizing flash cookies being operated by private marketplaces and somehow, concurrently, have independent oversight by regulatory forces or it's the ad-hoc, free markets and buyer beware system we're stuck with now there's got to be a better way to run commerce.
I think when it comes to content using cookies there is the application layer stuff plus subscription technologies which are preferred to ad buys and I don't think it's the interface as much as it's the format that is imporant.
I think source-side .FLVs are good. Whether a streaming FLV file is obscured or the URL is open users at any rate should be able to 1) embed links to the video and 2) modify the pixel ratios with respect to their machine's memory. Generally I believe what browser is playing what media file and the physical/virtual location are what the flash cookies now store as retrievable data.
On my system a second copy is stored at
%USERPROFILE%\Application Data\Macromedia\macromedia.com\support\flashplayer\sys
So do a find on a single entry on you system to locate both caches, e.g., find #flash.quantserve.com.
The macromedia GUI only cleans the first directory's cache, leaving the second untouched.
You can manually delete them from both areas.
Who should I contact?
Is this a serious problem?
I read about this sometime ago, so keep in mind that it may no longer be correct. As I understand it, Flashblock works by analyzing the DOM as it's loaded and anytime it sees Flash content it removes it and inserts its own Flashblock placeholder. What this means is that it is possible for Flash to execute before it is removed, however given the delay before the SWF in question is downloaded it's very unlikely that it would begin executing before Flashblock is able to remove it.
Doing with out flash just removes a lot of banal subject matter from my view.
I have a spare machine with flash, for those rare sites that I must use that have flash (Dish network).
And Pine is new technology, I recently decided there might be something better that mailx.
>
Why "take" either one?
The flash players on the Colbert Report and The Daily Show sites require 1Mb for uninterrupted viewing. In fact, I think all of comedycentral.com has that requirement. I'm not sure what they do with that much memory(I dont trust Viacom). Its not mandatory, but they show an annoying prompt each time you load a new video, unless you agree to raise the limit from 100Kb to 1Mb.
No I dont want "Rich Media Experiences", I want information. Thats the problem right there.
rm -rf ~/.macromedia/Flash_Player/\#SharedObjects/* && chmod u-w ~/.macromedia/Flash_Player/\#SharedObjects/
WINDOWS-E to bring up explorer and navigate to:
Vista: Users//AppData/Roaming/Macromedia/Flash Player
XP: Documents and Settings//Application Data/Macromedia/Flash Player
Once there, delete everything.
The whole OS is a GUI. Learn how to use it.
Actually, I don't have a subscription. But if I did, I wouldn't need to pay extra to hide the fact. (There is an option that lets you hide it.)
Not to mention, I wrote "Slashdot" once in the post you replied to, and then once in the reply to my first post.
I wank in the shower.
You and the GP AC are correct. Try running FlashBlock on a very slow PC and you'll see the first frame of the Flash application display... but this was witnessed by me over 6 months ago, I have not been back on my old, slow PC in a while.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
That's handy, flash can deliver information as well.
Each to their own, though - I've got no problem with that. What's wrong is people blaming the platform, not how people (mis)use it.
gnash 0.8.4 is the third beta release of the GNU Flash movie player. If you're not satisfied with Adobe Flash, you could check gnash out.
Best post EVAR!
Global Storage Settings panel
And near the bottom, a link to the Global Privacy Settings panel
Been there, done that, paid for the T-shirt
and didn't get it
I want to know what this control panel isn't either part of flashplayer, or separately downloadable. I *REALLY* dislike having to go to their website to clean crap on my system....
mark
I deleted all Flash cookies. Now The Daily Show plays without commercials! Whoo hoo! FYI: I see a poster above me wasn't able to load the video. I did approve the site's pop-up request one time at first. Now I get the show, without the commercials. No other pop-ups, either.