Slashdot Mirror
Introducing the Invulnerable Evercookie
An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."
evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs.
[...]
If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.
Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.
YMMV
Trolling is a art,
That's the great thing about evercookie
I disagree. Strongly.
I guess it's good that this is out in the open so we know about it, and hopefully the major browsers can all do something to help prevent it. But still: don't like, don't like at all.
Remember a time back in the mid-to-earlylate 90's when cookies had a super negative connotation to them? I find it interesting how integral they've become to experiencing the Internet in a timely fashion...
Living With a Nerd
Whenever someone goes through all the trouble of adding additional ways of tracking people - someone goes through all the trouble of finding ways of removing it.
There's no such thing as Invulnerable - See also: DRM and Copy-Protection
State of the art technology, website from the early 90s. Brilliant.
This cookie that is very hard to delete reminds me of IE bundled with Windows XP that I also failed to remove from my system. Even after manually deleting the program, typing `iexplore` at the run prompt would fire off IE without a hitch. What is man to do?
Now the history brute forcing is creative, and rather creepy as well. Browsers should close that hole.
vlad farted
Right Click -> Delete Sandbox. Done ! Next Cookie....
it was yummy! Has anybody tried an evercookie yet?
Doesn't work so well without javascript.
It is not a cookie, but virus written in Javascript. What is next?
If you have to go to great lengths to work around customers doing things like deleting cookies then you are doing something wrong or evil.
Keep the Classic Slashdot.
"when you look into the abyss, the abyss also looks into you"
cookies by steganography?
game over
i suppose you can browse without flash, javascript, cookies, AND images disabled. but that's not exactly a rockin' web experience
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This leaves me no option but running my browsing session in an undoable-mode VM, where after a reboot, all comes back to the previous state. Will this be the only way to maintain my privacy going forward?
Perhaps on paper there are privacy rights, but to a large extent only on paper. Some privacy (and security) exists for those who can pay for it, or know how to implement it.
- Hard question - if actual privacy is only for a few, who largely use it as cover to secretly abuse the rights of the other 99%, are we defending privacy rights just for them? Put simply, transparency in government and management, accountability, public participation, are not very compatible with secrecy.
Build your own energy sources from scratch. http://otherpower.com/
Will this affect users of Tor?
Visit a website through Tor.
Receive evercookie in Private Browsing Firefox.
Stop using Tor.
Tor user (now not anonymous) identified through evercookie
???
Profit
Do any of these techniques survive the browser's privacy scrubbing features?
Yes but a great many people have had all their web browsing habits for sale for a long time. The tracking works.
Build your own energy sources from scratch. http://otherpower.com/
FFFFFUUUUUUUUU...
I just had a rage guy moment here. >:-(
Beware: In C++, your friends can see your privates!
RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out.
I call the patent on this!!!
Privacy International have passed this on to a lawyer in the US who specialises in these cases and also published an open letter to the European Commission today about it:
http://tinyurl.com/3ac8vhd
Rest assured, if this is discovered in the wild, legal action will be forthcoming.
So basically if you clear your cache, as well as your cookies/LSO's all should be well. At least at the end of the browser session.
Another YAYdiots to the Mozilla Developers, for scrapping one of the best features in FF: Clearing the History window on exit. So sad you need an extra extension now what, as this story demonstrates again, should be an integral and visible part of any browser.
How about also adding CSS cookies as part of this cool evercookie thing? I am interested at looking into it. CSS has to have something there, some values to be stored as part of style sheet and then upon loading of the page check for CSS settings to get the values back. hhmmmmmmm.
You can't handle the truth.
The massive data black market has a little more information on you available. Its more expensive and harder to buy, but very available.
Build your own energy sources from scratch. http://otherpower.com/
Advertisers and site operators might complain that this behavior costs them revenue, but they should have thought about that before going all Big Brother on us. If you're going to try to trick me into clicking an ad on your site, I don't want anything to do with your site anyway. And I do occasionally click through ads on Slashdot and Google.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Golly, that's one tough cookie
symlink the LSO folder to /dev/null
90% of everything is crap. Also, crap is relative.
My favorite storage location is in a DQ Blizzard.
But some sort of Dracula cookie that has minions to bring it back from the dead? I think we need Belmont cookie hunters now.
Die monster! You don't belong in this world!
The cookie monster is not going to be amused!
http://cookies.lcs.mit.edu/encyclopedia.html
every day http://en.wikipedia.org/wiki/Special:Random
Who else sees this leading to awesome exploits down the road? What is the best way to avoid the evercookie?
canvas is crippled flash with better PR.
As Obama is to Bush.
Is it trying to push a browser vulnerability!!!
The Invulnerable Evercookie sounds like something dangerous from Willy Wonka's factory.
a 'security' guy
You know this guy is Samy Kamkar, the hacker who also unleashed the first-ever XSS worm on the world that infected a million MySpace profiles in a matter of hours...
Tomorrow I happen to attend a meeting of OWASP where Samy will speak about the latest XSS exploits, other JavaScript tricks, and other things (like a nice new method of NAT penetration)... I could say the title 'security guy' is earned by him for finding some great hacks and sharing them with the world, and even taking time to talk about it in person to the open source community.
but most of all, Samy is my hero
With Firefox 3.6.10 on win 7: - visited evercookie page - Tools -> clear recent history - close browser - run ccleaner - visited evercookie page again and got new cookie ID I'd say it is not as persistent as it says...
Looks like its time to go back to Lynx http://en.wikipedia.org/wiki/Lynx_(web_browser). LOL!
I called it a mighty Sperm Whale, she called it Finding Nemo.
You are confusing a computer with a game console. Yes, it can be a cool extra feature to be able to play games on your PC, but it has absolutely nothing to do with real computing. If you are really so cheap that you will pay $200.00 for Windows, but not $300.00 for a dedicated gaming console, then you are very much in the minority. Now please, when people are intelligently discussing computers, don't keep trying to enter into a discussion with the adults, clamoring that an OS is superior because it lets you tie up a $1600.00 machine to play games rather than just buy an actual machine designed to play games for far less.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Let's see. A remote website infects your computer with code which does things on your system without your consent and resists your attempts to delete it through the use of hidden copies. I think we have a word for this already. Starts with a V.
ExpertSexChange also shows the results if you click from google. I think it tries to hide them by using a script to set things hidden, but I have NoScript. So if I get a link to a page, I put it in google, click from there to pick up the referrer, and with noscript I scroll down to the bottom past 3/4 of the page and everything's there.
I noticed recently that they changed their terms of use. You grant them an unlimited license to use your content, and also appoint them as a copyright enforcement agent. So every comment has a "this is copyrighted, pay us to be able to copy things" notice attached. And if that comment appears elsewhere they will attempt a takedown.
But what if you post GPL code? It's against the terms of use, since the user has to ensure they own the copyright to things they post, or it's free to use. What if you, who owns the copyright, post the same response on multiple sites? ExpertSexChange will, acting on your explicit agreement, ask the other site to take it down, despite it being your content posted by you.
Now, I know what they're doing, and they are probably only going to stop sites that bulk copy answers instead of one response. But as of right now, you can't re-post anything from MSDN, or snippets from wikipedia, or GPL code, or damn near anything else unless you compose it on the spot. I know what they're trying to do, but it's going to go downhill.
To thwart these kind of 'attacks'
...a Bad Trip in Paranoland. I have to check that copying over with a fresh install of Firefox Portable can bypass it. I'm also waiting for a Firefox add-on to counter it
You don't need to mark client's browser. it's not secure and yet possible to protect against. The best solution is to use browser fingerprint. Apparently, each browser is unique by itself. See the link bellow http://panopticlick.eff.org/
I think it doesn't hide the answers, it just makes them show below a bunch of ads and stuff.
Most people don't think to scroll down below the "subscribe to see!" crap.
Anybody with any sanity lands on that site via Google anyway...
Marketing scumbags are already exploiting the lack of privacy controls on HTML5 storage (window.localStorage for one) in the wild, and once scripts are running no plugin will take care of that. As browsers continue to be swiss cheese where privacy is concerned, a BetterPrivacy-like plugin to clear these storage locations will be needed.
Seriously, AFAIK NO browser even handles Flash cookies AT ALL by default, and those have been a problem for years. When are Microsoft/Apple/Google/Mozilla/Opera going to fix this instead of adding eye candy and having benchmark wars? Securing a browser these days is like making a cheese grater float. Average Joes are being left totally defenseless. Handling flash cookies, cache, and HTML5 storage like regular cookies is the minimum fix that all browsers should adopt RIGHT NOW.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The web is no longer just a static place. It houses many applications and applications often need to be state aware. Users wouldn't accept that on slashdot, each post requires their login credentials or their session key posted in a form or get request.
So the cookie is the tool to turn the web state aware. Sadly a really useful tool can also be used for other practices.
NOT that it is to hard to defend against this. BLOCK third party cookies. If I am on slashdot, why am I getting cookies from site X.X? Why am I accepting them? I don't need them for slashdot to function (try, it, block third party cookies and see just how few sites seize to function).
First party cookies, the cookies from the site you visit have relative little impact. CNN.com is NOT going to request them (can't even) and hardly going to join in a scheme with slashdot to share data. Block the third party cookies by the ad agencies and you are golden.
Cookies, first party cookies, are integral to web apps (stateful browsing) because that is what they are for and the alternative (they exist) suck. In fact with the initial dislike gone, I don't think most people bother anymore with non-cookie capability of their site. Just like javascript and flash, if you don't have it, you can just go somewhere else.
It is almost impossible to store session data in the browser and not have it somehow abused. I could even think of ways of doing it by giving you a specific JS file with a generic url request, then see if I get a cached version or a new one.
The only way to stop this is to block the abusers. But how many here use ad-blockers and such to make a stand? No, many in fact oppose them because we "rob" those poor invaders of our privacy of their illgotten gains. Until that mentality changes, ad agencies will continue to find ever more devious ways to track us.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Hopefully anyone or company that uses these codes will be hung drawn and quartered like all virus makers should be
Evil is good right?
KILL HIM NOW! And send a message to any other A$$HOLE That might think along the same lines.
Marketers, Advertisers, and Spammers (Phone/E-Mail/Mail) must learn we Don't want or tolerate their crap!
Seriously why would he create this (other than to annoy people)
-- If you think the above is serious intent you do not belong on the internet and won't last long
If in Win7, the startup time on the VM goes down if I flip the V switch in Bios?
w/o it, the time to start a virtual XP session takes a while on a pretty quick system.
How much is your data worth? Back it up now.
The example doesn't work properly - it regenerates the cookie each time you load the page so I can't actually tell if the cookie is being persisted between browser sessions. I was curious to whether Chrome's incognito mode can defeat it...
'Nuf said.
Accept all cookies and change the permissions for your cookies file to read only. Done.
"Suppose you were an idiot..... And suppose you were a member of Congress... But I repeate myself."
of flagging sites to blacklist.
Seems to me that it's an attempt to bypass privacy requests by users. If I get rid of a cookie, that means that *I* do not want that cookie to exist. Period. End of case. And if some site goes to the extreme measure of using evercookie to insure that their cookies are persistent even though the user has demonstrated that they don't want the cookie, well then that's a site that should be black listed.
It shouldn't be. But it is.
Try logging into GMail with cookies turned off. It won't work.
Also Google Images search doesn't work for me with cookies turned off.
Cue the David Spade "Hollywood Minute" voice:
"We've seen this before, when it was called a virus."
And re-boot often
Am I the only one doing the demo on the page and having it fail completely? I just tried it in Firefox and Camino on OS X and neither worked.
It's worth noting that Camino and Firefox both failed without any spiffy add-on's either.
Simple "delete private data" on latest Opera without any gimmicks got rid of all his cookies as well. What was this created for, IE6?
Bow before me, for I am root.
Between RefControl (to tell it I came from Google) and the following AdBlock Plus filters, I can pretty much pretend that ExpertSexChange’s stupid restrictions don’t exist on the rare occasion that I actually would go there.
experts-exchange.com##*.relatedSolutions
experts-exchange.com##*.squareSignUp
experts-exchange.com##div.qStats+a
experts-exchange.com#div(blurredAnswer)
experts-exchange.com#div(sectionFour)
experts-exchange.com#div(startFreeTrialEcho)
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
...one lash per supercookie instance per laptop or workstation per planet, on the bare ass of the perp.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
Why would you release such an abomination? Do we REALLY need more tools to track us? The ONLY good thing that can come of this is that browser developers see this, and finally realize that people don't want to be tracked, and do something serious to stop it.
One never knows when one might need a rotten tomato... - King's Quest IV: Heir Today, Gone Tomorrow
This is a pet project of mine actually. I'm trying to find the least obtrusive way to do it. RemoteApp and VMWare is where I'm looking this week.
Also, I'm using a ramdisk for temp files. Supercookie is not an issue with my setup. I figured I'm not using 8GB all the time, why not dedicate 1 to temp files. If I'm doing dev work, I run a batch file to point back to HDD and shut down the drive. MKLINK.exe, gotta love it.
From TFA TODO: adding support for: ...
- Using Java to produce a unique key based off of NIC info
Someone please tell me browsers (at least FF on Linux) don't support reading my MAC address.
I've posted on this before, but here's an update based on some info from that link, hopefully doing a better job of limiting the damage from blowing away actively used LSOs:
Put this in your crontab:
* */4 * * * find .adobe .macromedia -type f -mtime +1 2>/dev/null |xargs rm -f
If you're on a laptop (test this first!), you can limit it to when you're plugged in:
* */4 * * * acpitool -a 2>/dev/null |grep -q online && find .adobe .macromedia -type f -mtime +1 2>/dev/null |xargs rm -f
This uses short circuiting in sh. You need to verify with this command first:
acpitool -a 2>/dev/null |grep -q online && echo it works || echo it failed
If you're not using GNU grep but acpitool works fine, try using grep online >/dev/null instead.
Use my userscript to add story images to Slashdot. There's no going back.
Should be easy to modify cookiepecker.pl to make a hash of this. See http://www.pckswarms.ch/beomar99.html
Welcome our new flatulent overloards and would love to take thier teeny peeny in my pooshoot
Many, many sites require Javascript to work AT ALL. You can argue that they should degrade gracefully so that they still work without JS, and you'd be right. But the fact is: they don't. So as a user, I'm now left with the choice of an almost completely broken (but secure) web, or a web that mostly works but can zap me with "evercookies". In practice, I end up using NoScript to block all 3rd party scripts, but I mostly allow scripts from the sites I visit frequently. Which means that, say, Slashdot could hit me with an evercookie as long as they hosted it on their own domain.
I have no need for that. If I want to stay logged in why would I close the browser?
When you update some components of your operating system, the update doesn't finish until you close the browser and restart the computer.
You fail it.
Is there an OS X (via fink or WINE, maybe) alternative? What about Linux?
I'm sure you were smart enough NOT to visit Samy Kamar's site to see just who the heck this guy is. But if you did, you got 8 cookies for free. Never ending, ever sending cookies. Quoth the raven evermore.
Firefox addon, called GoogleSharing hides google search-terms from Google
http://googlesharing.net/download.html
Some more privacy tests and solutions
http://web.comhem.se/u79/Privacy.php