Slashdot Mirror

← Back to Stories (view on slashdot.org)

Introducing the Invulnerable Evercookie

Posted by CmdrTaco on from the evil-and-clever dept.

An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."

5 of 332 comments (clear)

  1. Not hard to beat at first glance. by grub · · Score: 4, Informative


    evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs.
    [...]
    If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.

    Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.

    YMMV

    --
    Trolling is a art,
    1. Re:Not hard to beat at first glance. by Kvasio · · Score: 4, Informative

      running browser in Sandboxie would also do the trick

  2. Re:Remember? by Haedrian · · Score: 4, Informative

    Well, html is unable to save session information. So you need cookies for that. There is no other reliable and non-user-unfriendly alternative.

    When you 'log in', you are given a cookie, which the page reads and uses to identify you. That's one of the more common 'useful' uses for cookies.

    Cookies can also store small amounts of data in them (ever been to a website which tells you "Pick Language" and then lets you "[ ] Always remember this choice"? That's also a cookie.

    And last but not least, they're good at identifying you so that other adverts (on other sites) note the cookie and are able to link your presence on Site A to the one on Site B then data-mine

  3. Re:"That's the great thing about evercookie" by Anonymous Coward · · Score: 5, Informative

    it's not his research either. this has already been observed in the wild and already reported by ars technica.

    http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars

    the advertisement company got already sued for it.

  4. At least Linux users can... by WarmBoota · · Score: 5, Informative

    symlink the LSO folder to /dev/null

    --
    90% of everything is crap. Also, crap is relative.