Flash Cookies, a Little-Known Privacy Threat

← Back to Stories (view on slashdot.org)

Flash Cookies, a Little-Known Privacy Threat

Posted by kdawson on Tuesday October 14, 2008 @06:43AM from the flashblock-considered-mandatory dept.

Wiini recommends a blog posting exploring Flash cookies, a little-known threat to privacy, and how you can get control of them. 98% of browsers have Macromedia Flash Player installed, and the cookies it enables have some interesting properties. They have no expiration date; they store 100 KB of data by default, with an unlimited maximum; they can't be deleted by your browser; and they send previous visit information and history, by default, without your permission. I was amazed at some of the sites, not visited in a year or more, that still had Flash cookies on my machine. Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation.

15 of 225 comments (clear)

Min score:

Reason:

Sort:

Old News by AKAImBatman · 2008-10-14 06:44 · Score: 5, Informative

1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.

--
Javascript + Nintendo DSi = DSiCade
1. Re:Old News by Sensible+Clod · 2008-10-14 06:53 · Score: 5, Informative
  
  There used to be a Firefox extension for Local Shared Objects, called Objection, and I used it back then, but it's not compatible with Firefox 3.
  
  --
  
  The difference between spam and poop is that you don't have to dig through septic tanks looking for real food. -- Me
2. Re:Old News by Anonymous Coward · 2008-10-14 06:59 · Score: 5, Informative
  
  1. Flash supports local shared objects, not "cookies". Cookies are submitted back to the server. Shared Objects are bits of storage available to movies from a particular domain. They must explicitly submit the information back to cause an information leak.
  2. Using shared objects to save browsing history is dumb. If you wanted to do evil Flash tracking, use a unique id that you can look up on the server side.
  3. You can delete and/or restrict the contents from inside a Flash movie. Use the right-click menu in Flash to access settings and set the storage level to 0 bytes. That will wipe everything out. It will also force Flash to prompt you every time it wishes to save something to disk.
  4. This was added in Flash 6, which was released back in 2002. Since then, it has been used by a variety of Flash applications. Many of which you probably use every day. From saving your progress in your favorite Flash game to remembering the volume settings in that Youtube video, Local Shared Objects have been shown to be a valuable feature.
  5. If you're worried about this, just wait until you guys see the Storage APIs in HTML5. You're going to freak.
  A bit more information...
  1 - Flash can store, by default, 100 kb of any datatype in the SharedObject class. They could easily emulate a browser cookie cache. This is effective because 99% of people don't even have a clue the cookies are there, and no adware-sniffing program I've seen yet even looks at sharedobject data. This is a VERY effective way of sneaking a cookie (and/or other data) into a permanent spot on a user's machine.
  2 - There is no point here: The sharedobject interface can easily store a cookie, and even if it didn't, it could probably safely store or backup more information based on the ignorance of the average user.
  3 - This is true. You can delete sharedobjects as long as you have a move clip visible you can click on. However, many sites have hidden flash elements that cannot be seen or clicked on. These sites can set data.
  4 - Sure they are useful, but the can and are misued. Best to be informed. Fortunately, you can find the storedobject data in "C:\Documents and Settings\\Application Data\Macromedia\Flash Player\#SharedObjects". Each site that stores data is found in a subdirectory bearing that site's name. You can pick and choose which sharedobjects to keep.
  5 - Indeed.
3. Re:Old News by anasciiman · 2008-10-14 07:34 · Score: 5, Informative
  
  I use Oblivion with Firefox 3.0.3 and it works fine.
  
  --
  Think of me when you shave your legs...
4. Re:Old News by ScreamingCactus · 2008-10-14 08:53 · Score: 5, Informative
  
  There is a FF extension called Distrust, which deletes your "Flash Cookies" on exit ... I assume they're talking about the same thing here. It works with 3.
  
  --
  The path to enlightenment is truly through homemade drugs!
Flash cookies by MyLongNickName · 2008-10-14 06:49 · Score: 5, Funny

I flashed my cookies once and did a weekend in the slammer.

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Don't allow sites to store stuff on your machine. by apathy+maybe · 2008-10-14 06:52 · Score: 5, Interesting

I don't allow any site to store any information on my machine, except when it is beneficial to me. That means, Slashdot can store cookies (session only), RevLeft can store cookies for ever, and various email places can store session only cookies.
However, every other site is blocked by default (Firefox plugin called CookieSafe). With Flash, yes I'm using Macromedia's shit plugin, but even then the default (and I'm not going to change it) is to not allow any site to save any information.
Of course, I also use NoScript and AdBlock... Yada yada.
I'm on the web for my benefit, not for the benefit of advertisers and other scum.
I've also heard about a trick to delete the folder where the Macromedia plugin stores the stuff and replace it with a read only blank file of the same name. Look into that if you don't trust Adobe as far as you can kick them...

--
I wank in the shower.
Somewhat Misleading by Aeonite · 2008-10-14 06:53 · Score: 5, Informative

"Here's the user-unfriendly GUI for deleting them, one at a time, each one requiring confirmation."
Except there's a button to delete them all at once.
Re:Welcome by AKAImBatman · 2008-10-14 06:59 · Score: 5, Funny

If you think I'm new here, you must be new here... ;-)

--
Javascript + Nintendo DSi = DSiCade
Can you not just delete the files directly? by BabyDave · 2008-10-14 07:01 · Score: 5, Informative

On Windows, presumably the shared objects are the files stored in %USERPROFILE%\Application Data\Macromedia\Flash Player\#SharedObjects (usually c:\Documents And Settings\%USERNAME%\Application Data\... ) - can you not just delete the files directly?
Easily fixed from the same site linked in TFA by Craptastic+Weasel · 2008-10-14 07:05 · Score: 5, Informative

Go to This site

1.) Go to Website Storage settings -> Delete all sites

2.) Go to Global Storage settings -> allow 0 kb of storage

3.) ????? 4.) Profit! (and/or continue going to porn sites...)
Re:And this ... by elrous0 · 2008-10-14 08:00 · Score: 5, Funny

And I'm even better than you because I use an Apple computer, don't even own a TV, and only listen to indie music. You should smell my flowery farts!

--
SJW: Someone who has run out of real oppression, and has to fake it.
Re:Don't allow sites to store stuff on your machin by Anonymous Coward · 2008-10-14 08:09 · Score: 5, Funny

Mod parent "OldManOnPorchWithShotgun"
Re:And this ... by Hatta · 2008-10-14 09:12 · Score: 5, Insightful

Why should we all accept a technology that is almost always used inappropriately? It's not being a luddite to expect people to use the right tool for the job. Flash is a technology that's good for vector animations. Stuff like homestar runner benefit from using flash, and nobody is going to complain that such a site uses flash.
But what about all the websites that use flash based navigation? Does flash do anything that they can't do with html/javascript? No. Then what's the point? It's not progress if it doesn't enable you to do anything new. It's just dumb.
And then there's sites like YouTube which use flash to serve up videos. I mean, come on. Embedding a video file in a flash application makes about as much sense as embedding an image in flash. The right thing to do is to send the video over http, and let the browser decide what to do with it. Just like we do with .jpg, .pdf, .mp3, and everything else on the internet.
So don't give me this bullshit about flash haters being anti-progress, because there's really very little that flash actually does that anyone actually needs. It's almost always the wrong tool for the job.
p.s. pine still works great, what's your problem with it?

--
Give me Classic Slashdot or give me death!
Re:Duh department by WoodstockJeff · 2008-10-14 10:40 · Score: 5, Interesting

With Flashblock loaded and active, watching hidden the Macromedia directories, visiting a page with Flash objects created objects in the Macromedia\Flash Player\#SharedObjects and Macromedia\Flash Player\macromedia.com\support\sys directories, without running any of the visible Flash objects.
That would indicate to me that some part of Flash is being activated, despite the presence of Flashblock...