Introducing the Invulnerable Evercookie

An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."

Remember?

[Pojut]

Remember a time back in the mid-to-earlylate 90's when cookies had a super negative connotation to them? I find it interesting how integral they've become to experiencing the Internet in a timely fashion...

Re:The PNG thing isn't that unexpected

[The+MAZZTer]

Firefox already has.

Re:"That's the great thing about evercookie"

[Pharmboy]

You can't blame someone for a "method" when it is openly explaining how it is doing what it is doing, using the existing software. Yes, he is pushing it as a "feature", when it is in fact due to a flaw in the overall design of all browsers. It is much better for the information to be released like this than to find out a year after it is fully integrated into every piece of malware.

Hacking at its finest.

Browser on a VM then?

[Natales]

This leaves me no option but running my browsing session in an undoable-mode VM, where after a reboot, all comes back to the previous state. Will this be the only way to maintain my privacy going forward?

Privacy for 99% of people doesn't exist

[h00manist]

Perhaps on paper there are privacy rights, but to a large extent only on paper. Some privacy (and security) exists for those who can pay for it, or know how to implement it.
- Hard question - if actual privacy is only for a few, who largely use it as cover to secretly abuse the rights of the other 99%, are we defending privacy rights just for them? Put simply, transparency in government and management, accountability, public participation, are not very compatible with secrecy.

Re:nietzsche quote applies:

[smallfries]

Why would you need to? Cached images don't get uploaded during normal page rendering. You need some sort of client-side scripting to look at the cached image. So disabling flash and javascript would be enough to turn this into a normal cookie, and disabling cookies as well would defeat it completely.

My browser was setup that way already, but that's just the way I roll...

Re:virus

[frizzantik]

It's written by the guy who wrote the myspace virus so it's not really surprising

Re:Not hard to beat at first glance.

Yup. Turns out these won't stick in my primary browser.

1. HTML cookies: Session only. Browser closes, cookies gone.
2. Flash cookies: No Flash. Where Flash is enabled, it can't store Flash cookies.
3. Cached PNGs: No persistent cache, RAM only. Browser closes, cached files gone.
4. Web history: No history.
5. HTML5 Session Storage / Local Storage / Global Storage / Database Storage via SQLite: Not available.

Re:nietzsche quote applies:

[MozeeToby]

Rather than disabling and trying to defeat all these tracking mechanisms I think it would be easier to flood them with false information. Someone should set up a cookie sharing site and FF extension that trades (safe, non-identifying) cookies amongst all the users of that extension. Why yes, I did visit mylittlepony.com directly between visits to journalofparticlephysics.edu and horsesluts9.com, why do you ask?

Need a BetterPrivacy for HTML5 storage

[GameboyRMH]

Marketing scumbags are already exploiting the lack of privacy controls on HTML5 storage (window.localStorage for one) in the wild, and once scripts are running no plugin will take care of that. As browsers continue to be swiss cheese where privacy is concerned, a BetterPrivacy-like plugin to clear these storage locations will be needed.

Seriously, AFAIK NO browser even handles Flash cookies AT ALL by default, and those have been a problem for years. When are Microsoft/Apple/Google/Mozilla/Opera going to fix this instead of adding eye candy and having benchmark wars? Securing a browser these days is like making a cheese grater float. Average Joes are being left totally defenseless. Handling flash cookies, cache, and HTML5 storage like regular cookies is the minimum fix that all browsers should adopt RIGHT NOW.

Demo didn't work for me

[lullabud]

Am I the only one doing the demo on the page and having it fail completely? I just tried it in Firefox and Camino on OS X and neither worked.

Re:Not hard to beat at first glance.

[Entropy98]

I uploaded the example code, you can try it out here

For me it stores data using only 2 methods in FF though "Clear Recent History" fails to remove both.

In IE8 the script fails to work for me:

Message: Object doesn't support this property or method
Line: 263
Char: 3
Code: 0
URI: http://fiestafan.com/ec/evercookie.js

Message: Object doesn't support this property or method
Line: 263
Char: 3
Code: 0
URI: http://fiestafan.com/ec/evercookie.js

Message: Object doesn't support this property or method
Line: 263
Char: 3
Code: 0
URI: http://fiestafan.com/ec/evercookie.js

Message: Object doesn't support this property or method
Line: 263
Char: 3
Code: 0
URI: http://fiestafan.com/ec/evercookie.js