Flash Cookies, a Little-Known Privacy Threat

Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.

Old News

[AKAImBatman]

1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.

2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.

3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.

4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.

5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.

Re:Old News

[Sensible+Clod]

There used to be a Firefox extension for Local Shared Objects, called Objection, and I used it back then, but it's not compatible with Firefox 3.

Re:Old News

1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.

2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.

3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.

4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.

5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.

A bit more information...

1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.

2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.

3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.

4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.

5 - Indeed.

Re:Old News

[anasciiman]

I use Oblivion with Firefox 3.0.3 and it works fine.

Re:Old News

[0232793]

I can't find this on Google, but I did find an experimental add-on BetterPrivacy https://addons.mozilla.org/en-US/firefox/addon/6623 that "protects from LSO Flash Objects"

Re:Old News

[ScreamingCactus]

There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.

Re:Old News

[TubeSteak]

4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.

One of the things I discovered a long time ago is that emptying a #SharedObjects subdirectory and setting it to read-only does not work.

Now I just go through every once in a while and clear out the whole thing.

Re:Old News

[Rocky+Mudbutt]

cd "\Documents and Settings\Application Data\Macromedia\Flash Player\"
rmdir "#SharedObjects"
ln -s nul "#SharedObjects"

Oh you are running windows!? Works for me in cygwin bash.

Re:Old News

[NickFortune]

My question has always been, are cookies even really that bad?

That depends on the level of privacy to which you aspire, online. As far as I'm concerned, my business is my business. Of course, if you're happy living your online existence in a goldfish bowl, that's different.

And who actually has time to poll through all that user data?

Data mining programs do. Then people get to see whatever the programs flag up.

So, let's just say that someone is using a shared object to store browsing history. So what? Unless my church saw that after I went to their website I visited some girl-on-girl site (or vice versa), I really don't care.

Well, all that data goes into databases, and the data gets leaked and sold and demanded by the government, and burned to CD-Rom which then gets lost... and on the way ends up being amalgamated with with other databases. It's already possible to uncomfortably detailed profiles of people using only Google. That's without mining someone's clickstream over a year or so.

Maybe you don't care who's looking over your metaphorical shoulder as you surf; I accept that many people do not. Nevertheless, for what I suspect are the majority of surfers, there's a definite issue here.

Flash cookies

[MyLongNickName]

I flashed my cookies once and did a weekend in the slammer.

Re:Flash cookies

[MyLongNickName]

Talk about a privacy threat!

Don't allow sites to store stuff on your machine.

[apathy+maybe]

I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.

However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.

Of course, I also use NoScript and AdBlock... Yada yada.

I'm on the web for my benefit, not for the benefit of advertisers and other scum.

I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...

Somewhat Misleading

[Aeonite]

"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."

Except there's a button to delete them all at once.

Re:Don't allow sites to store stuff on your machin

[apathy+maybe]

And a quick follow up to that post. What happens if I hit a site that requires cookies (for no apparent reason)? I leave. The most common website is lyrics websites, and considering the number of them there are, I don't care if I miss out on one more.

The same with JavaScript, there are only a few websites that I've enabled JS by default (Slashdot is one). But for all the rest, unless they have an obvious use for it (and can't provide alternative content), I leave if it's required.

Screw them. I've got better things to do with my time then fuck around with websites that can't degrade gracefully.

Re:Welcome

[AKAImBatman]

If you think I'm new here, you must be new here... ;-)

And this ...

[gstoddart]

This is why I don't install flash on my machines.

Way too much junk and irritating sites. A site which requires flash will be left and promptly forgotten about. If you can't provide an interface to your site without Flash, I don't care what your site has in it.

Cheers

Re:And this ...

[Danny+Rathjens]

Imagine if people said the same thing about windows and gave up on linux. We can do much better than proprietary junk like flash.

Re:And this ...

[elrous0]

And I'm even better than you because I use an Apple computer, don't even own a TV, and only listen to indie music. You should smell my flowery farts!

Re:And this ...

[Hatta]

Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.

But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.

And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.

So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.

p.s. pine still works great, what's your problem with it?

Can you not just delete the files directly?

[BabyDave]

On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?

disable completely with a batchfile

Or... a simple batchfile for neutering the little bastards completely. ... assuming they haven't changed anything.

Re:Quick fix?

[elashish14]

Er, a semicolon is helpful too: rm -r .macromedia; ln -s /dev/null ~/.macromedia

Easily fixed from the same site linked in TFA

[Craptastic+Weasel]

Go to This site

1.) Go to Website Storage settings -> Delete all sites

2.) Go to Global Storage settings -> allow 0 kb of storage

3.) ????? 4.) Profit! (and/or continue going to porn sites...)

Re:Welcome

[Drooling+Iguana]

In geological terms, we're all new here.

How are Cookies "Privacy Threats"?

[Doc+Ruby]

I can understand if there's a bug that lets one site read or write another site's cookies. But how are properly functioning cookies any threat to privacy? They are indeed a threat to anonymity, only because they let a site ID a browser (or a Flash player or some other client) as "the same as that other time". But what private info other than that you are the same person (or maybe not, on a shared machine) is threatened? The remote site could just store on its server any info about your transactions. It could require that you login to verify that you're that same returning visitor. And even without cookies, a remote site could send any info it got from your transactions over to any other site without notifying you. Cookies have nothing to do with it.

Of course, any info stored on my machine should have a usable UI to manage it. But an inconvenient one isn't really a "privacy threat". After all, what is the threat? What goes wrong when it's abused?

Re:To remove flash cache on Linux

[Khopesh]

srm and shred aren't assured security if you're on a journaled filesystem. More importantly, if the Flash application is rooting through your filesystem looking for deleted data, "secure deletion" should be applied to Flash itself, not just its cache. That would be outrageous.

My point is that you're merely trying to delete cookies to prevent user tracking. Secure deletion on your physical disk is not needed unless you're looking at a very special kind of content. ... Using srm or shred here would be like running your newspaper through the shredder because you never know who might be looking for the smudge marks that indicate what you actually read.

Re:Don't allow sites to store stuff on your machin

Mod parent "OldManOnPorchWithShotgun"

Re:Duh department

[GuldKalle]

Can you point to a source, please?
Because the front page of FlashBlocks site says something different:

Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content.

(Emphasis taken from source)

Macromedia?

[dangitman]

Shouldn't that be Adobe Flash now?

Re:And this ... *crap is technology agnostic*

[mb1]

ffs, there are plenty of irritating html sites as well...

I'm over this repetitive anti-flash argument. (Honesty disclaimer, yes, I develop quite a bit in flash. No, not banner ads, and no, not fully-flash online banking applications either.)

flash != junk
people making junk with flash == junk

(and you can replace 'flash' with plenty of other technologies as well - regexp not supplied.)

If you don't install flash then that's fine and it's your choice, but you can't blame adobe or flash for webcrap. Blame the mofo's making the junk. Same applies for html+javascript badness - you don't blame the w3c and javascript interpreter writers... (or maybe you do, I don't know.)

If you don't want advertising, adblock/whatever the sites hosting it. If you don't like sites that are full of rubbish made in flash, simply don't visit them again etc. If they're pushing what you don't want then why are you there? If they're pushing what you want in a format you don't like then consider letting them know.

Sites that want to deliver rich media experiences, (increasingly) cross-platform interactive experiences, games, video, etc. will continue to use software like flash to deliver their products, messages and services until something better comes along. I don't know much about silverlight, but most articles I've read on slashdot don't exactly endorse it. Anyway, something better will come along and developers will be all over it, web standards or not unfortunately.

And yes, sure, you can jump up and down and complain that your favourite cross-browser javascript api+libraries can deliver what flash can, but currently that's not true in some or even a lot of situations, depending on what you're building. I accept that this statement is pretty broad, everything looks like a hammer or a nail or whatever analogy you prefer...

So, fitness for purpose. I'm sure most of us wish that more developers (ourselves included) used technologies appropriately, but not everyone has the same skills, audience, timeframes, etc. and certainly never the same morals.

Webcrap will continue to be made, no doubt - but I guess my point is that crap is technology agnostic.

Re:Duh department

[WoodstockJeff]

With Flashblock loaded and active, watching hidden the Macromedia directories, visiting a page with Flash objects created objects in the Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\sys directories, without running any of the visible Flash objects.

That would indicate to me that some part of Flash is being activated, despite the presence of Flashblock...

Re:Welcome

[RockDoctor]

In geological terms, "here" is new.

(Being pedantic, because I really am a geologist, for most values of "here" and most reasonable meanings of "new". If I were writing on the other coast of Scotland, then my here might be up to half the age of the Earth, which is stretching "new" a bit, but for over 95% of the country and far over 99% of the population, the rocks below are a lot less than a quarter of the age of the planet, which is "new" enough for me.)