Slashdot Mirror

← Back to Stories (view on slashdot.org)

Introducing the Invulnerable Evercookie

Posted by CmdrTaco on from the evil-and-clever dept.

An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."

50 of 332 comments (clear)

  1. Not hard to beat at first glance. by grub · · Score: 4, Informative


    evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs.
    [...]
    If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.

    Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.

    YMMV

    --
    Trolling is a art,
    1. Re:Not hard to beat at first glance. by Shrike82 · · Score: 4, Insightful

      That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown. YMMV

      I take your point, but most people use neither of these things and will be at the mercy of persistent tracking. Of course anyone who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies). Especially since "Private Browsing" modes have been shown to retain information.

      --
      You can advertise in this sig from as little as £99.99 a month!
    2. Re:Not hard to beat at first glance. by Inda · · Score: 2, Informative

      Failed for me too.

      The text displayed, an error was generated, then "The page cannot be displayed"

      Internet Explorer cannot open the Internet site http://samy.pl/evercookie/. Operation aborted

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    3. Re:Not hard to beat at first glance. by rwa2 · · Score: 2, Informative

      ... soon to be followed by the evercookiemonster by same "security" guy, right?

      http://farm1.static.flickr.com/119/299000164_4d7398dbf6.jpg?v=0

    4. Re:Not hard to beat at first glance. by BrentH · · Score: 2

      NoScript (and NotScript, which I use in Chromium these days) should have an option to tenp-allow JS from the domain you're on automaticaly. I think it would get n00b-proof for non-techies to use it.

    5. Re:Not hard to beat at first glance. by JustABlitheringIdiot · · Score: 2

      Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.

      So NoScript blocks this? It also says on the page that clearing the LSO will no matter so I don't think that BetterPrivacy will help with this.

    6. Re:Not hard to beat at first glance. by Anonymous Coward · · Score: 2, Informative

      True enough. My brother uses FF and AdBlock+ but won't install NoScript. Flat out refuses to, saying he hates having to whitelist everything. I've tried explaining that over (reasonable) time the sites you visit are all categorized and you rarely need to add exceptions. Even newly visited sites are fine much of the time.

      Use PrefBar.

      Cost: One horizontal toolbar's worth of vertical space.

      Benefit: User-configurable single-click access to toggle checkboxes that control not only Javashit, Flash, and Java, but also automatic geolocation reporting, image loading (tired of seeing 10 copies of an almost-NSFW 300x480 .gif of bouncing boobs that some idiot used as a .sig when all you want to do is read about how his turbocharger install went?), colors (hate that web designer who put red text on a blue swirly background?), cookies, send-Referrrer-ID, a dropdown to select a user-agent (lookin' at you ExpertSexChange, who hides the answer from everyone but the Google Crawler), and more.

    7. Re:Not hard to beat at first glance. by h00manist · · Score: 5, Insightful

      who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies).

      There's all kinds of databases on people available. Search and you shall find.

      All data circulates easily and is simply very hard to stop. It is indeed like speech, it just happens, anyone can do it. Copyrighted data, personal data, credit data, secret data, whatever. Bottom line, gathering and selling various gray-black-market data is illegal immoral etc, and very doable and very interesting for companies and organizations of all types. Not unlike downloading movies is for many - illegal but easy and interesting data. It's the interests that are different.

      --
      Build your own energy sources from scratch. http://otherpower.com/
    8. Re:Not hard to beat at first glance. by Kvasio · · Score: 4, Informative

      running browser in Sandboxie would also do the trick

    9. Re:Not hard to beat at first glance. by jridley · · Score: 2

      I also run NoScript + BetterPrivacy. Also CsFire, though it's difficult to leave that enabled, since so many sites (like PayPal) won't work with it enabled.

      If all that ever fails, I'll just start running PortableFirefox and restoring all the files from a read-only master image on every browser startup.

    10. Re:Not hard to beat at first glance. by mlts · · Score: 3, Informative

      Thanks for the reminder. Last time I looked into sandboxie, it did not support 64 bit operating systems, which is does now. Using it is a lot easier on the CPU and more convenient than creating a VM with a Web browser in it and rolling it back when done for that session.

      With Unity mode on VMWare Workstation or the equivalent on Windows 7 and XP Mode, keeping a Web browser in a sandbox isn't that much work, especially if one is having to use a backlevel version of IE for some websites that force IE6, and even does JS/VBScript checks to check for a changed UserAgent field.

    11. Re:Not hard to beat at first glance. by js_sebastian · · Score: 2, Informative

      evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs. [...] If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers. Well, the site's EXAMPLE failed on my box. That's NoScript at work.

      Same here. But what if this script were used by a website for which you need or want to enable scripting?

      If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.

      Which helps, but doesn't solve the problem, since the cookie is also stored in a cached PNG's RGB values and in your browser history, and in a bunch of HTML5 related storage options that your browser may or may not support and betterprivacy may or may not have been updated to take care of.

    12. Re:Not hard to beat at first glance. by dc29A · · Score: 2, Informative

      Firefox 4 Beta 6 with AdBlock+ and changing %homepath%\Application Data\Macromedia from folder to a system file stops this. You do have to set Firefox to clear all browsing data upon exit. Tested also flushing the browser data while browser being open and it works as well. The site can't keep 'evercookies' on my machine. However changing Macromedia folder from folder to file will break a few websites that use heavily flash.

    13. Re:Not hard to beat at first glance. by dkleinsc · · Score: 4, Insightful

      Thhe purpose of "Private Browsing" isn't to protect your privacy from websites while you surf, it's to protect your privacy from your SO when she comes home and sees your web history.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    14. Re:Not hard to beat at first glance. by wvmarle · · Score: 2, Informative

      Not having NoScript, but FlashBlock, some interesting observations - that indicate a bug in FF even.

      The cookie stored in the history data is not updated. I haven't poked through my history but guess I have several stored there now, and evercookie only reads the first it finds. Hence that's the oldest one always. A bug in the storage algorithm.

      More seriously, it seems there is data leaking from Private Browsing to normal browsing mode, while Private Browsing shouldn't leave any traces of the session. When in Private Browsing the history storage fails (FF doesn't keep history so it should fail), the rest works fine.

      However when switching back from Private to normal mode (with the evercookie web site still open in a tab, reopening when switching to normal mode), the pngData mechanism still shows the last cookie ID from the Private browsing session! If private is as private as it should be, this should not be possible. I'm not in the mood to start poking deeper, not too familiar with JS anyway, I bet there are /.ers that can do that much better than me. This to me appears to be a bug in FF (version 3.6.10 for me).

    15. Re:Not hard to beat at first glance. by 0111+1110 · · Score: 2, Informative

      Actually it doesn't perfectly support 64 bit, but it will run and probably do a good enough job. You might also want to try Shadow Defender. It has fully supported 64 bit for a long time. It is paid software, but I think there are some free versions floating around if you have a parrot on your shoulder.

      --
      Quite an experience to live in fear, isn't it? That's what it is to be a slave.
    16. Re:Not hard to beat at first glance. by Entropy98 · · Score: 2, Interesting

      I uploaded the example code, you can try it out here

      For me it stores data using only 2 methods in FF though "Clear Recent History" fails to remove both.

      In IE8 the script fails to work for me:

      Message: Object doesn't support this property or method
      Line: 263
      Char: 3
      Code: 0
      URI: http://fiestafan.com/ec/evercookie.js

      Message: Object doesn't support this property or method
      Line: 263
      Char: 3
      Code: 0
      URI: http://fiestafan.com/ec/evercookie.js

      Message: Object doesn't support this property or method
      Line: 263
      Char: 3
      Code: 0
      URI: http://fiestafan.com/ec/evercookie.js

      Message: Object doesn't support this property or method
      Line: 263
      Char: 3
      Code: 0
      URI: http://fiestafan.com/ec/evercookie.js

  2. "That's the great thing about evercookie" by tomalpha · · Score: 3, Insightful
    From TFA:

    That's the great thing about evercookie

    I disagree. Strongly.

    I guess it's good that this is out in the open so we know about it, and hopefully the major browsers can all do something to help prevent it. But still: don't like, don't like at all.

    1. Re:"That's the great thing about evercookie" by Pharmboy · · Score: 4, Interesting

      You can't blame someone for a "method" when it is openly explaining how it is doing what it is doing, using the existing software. Yes, he is pushing it as a "feature", when it is in fact due to a flaw in the overall design of all browsers. It is much better for the information to be released like this than to find out a year after it is fully integrated into every piece of malware.

      Hacking at its finest.

      --
      Tequila: It's not just for breakfast anymore!
    2. Re:"That's the great thing about evercookie" by Moryath · · Score: 2, Informative

      No kidding. It was bad enough in the days when there were all sorts of cookies throwing illegal characters (wildcards, normally path-related characters, etc) in the filename to prevent deletion. Particularly when the "cookie" itself didn't actually have data, they just tried to stick every bit of info into the fucking filename.

      And of course there have been all the programs that hide "registration" data - or even, sometimes, "never work again" flags - somewhere deep in randomly-named registry keys as pure numeric values to be next-to-impossible to hunt down unless you know precisely what you're looking for. I remember one of these that had a bomb in it designed to fuck up the program if you changed your system clock more than a few hours (non-permanent license, paranoid schizophrenic fucktards at the company afraid that people would reset their clock to keep the program running...Hi SPSS!) Boy was my coworker surprised when she went overseas and tried to resync her laptop to local time.

      But just wait, pretty soon someone's going to take the Everlasting Gobstopper Cookie, add in a more malicious payload, and we're off to the races. There's no possible justification for this project.

    3. Re:"That's the great thing about evercookie" by Anonymous Coward · · Score: 5, Informative

      it's not his research either. this has already been observed in the wild and already reported by ars technica.

      http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars

      the advertisement company got already sued for it.

    4. Re:"That's the great thing about evercookie" by PhilHibbs · · Score: 4, Insightful

      There's no possible justification for this project.

      "To show everyone what the black hats and spammers are going to be doing", sounds good enough to me.

  3. Remember? by Pojut · · Score: 3, Interesting

    Remember a time back in the mid-to-earlylate 90's when cookies had a super negative connotation to them? I find it interesting how integral they've become to experiencing the Internet in a timely fashion...

    --
    Living With a Nerd
    1. Re:Remember? by Haedrian · · Score: 4, Informative

      Well, html is unable to save session information. So you need cookies for that. There is no other reliable and non-user-unfriendly alternative.

      When you 'log in', you are given a cookie, which the page reads and uses to identify you. That's one of the more common 'useful' uses for cookies.

      Cookies can also store small amounts of data in them (ever been to a website which tells you "Pick Language" and then lets you "[ ] Always remember this choice"? That's also a cookie.

      And last but not least, they're good at identifying you so that other adverts (on other sites) note the cookie and are able to link your presence on Site A to the one on Site B then data-mine

    2. Re:Remember? by cgenman · · Score: 3, Insightful

      Hidden form values have the annoying tendency of breaking the back button. That, in my mind, is a far greater sin than cookies.

      --
      The ______ Agenda
  4. And now... by Haedrian · · Score: 4, Insightful

    Whenever someone goes through all the trouble of adding additional ways of tracking people - someone goes through all the trouble of finding ways of removing it.

    There's no such thing as Invulnerable - See also: DRM and Copy-Protection

    1. Re:And now... by cheater512 · · Score: 2, Insightful

      No, but the people who do the tracking dont care about you.
      They want everyone else who doesnt try to evade tracking, which is a lot more people.

  5. Re:The PNG thing isn't that unexpected by The+MAZZTer · · Score: 3, Interesting

    Firefox already has.

  6. Developers take note by Monoman · · Score: 5, Insightful

    If you have to go to great lengths to work around customers doing things like deleting cookies then you are doing something wrong or evil.

    --
    Keep the Classic Slashdot.
    1. Re:Developers take note by Sarten-X · · Score: 2, Insightful

      ...or you're doing something that users expect to "just work". My grandmother had a perfectly fine time using GMail, until my uncle heard that cookies should be deleted for privacy. I got a phone call after that where I had to figure out why "email isn't working".

      I can see valid uses for this, and I can see malicious uses. I suppose it's good that something's out there making us developers think about these techniques.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Developers take note by Anonymous Coward · · Score: 2, Insightful

      That's not a problem with cookies being easy to delete, that's a problem with the user not understanding what they're deleting. In the same way that making it imposible to delete word documents is a bad idea, making it imposible to delete cookies serves no beneficial purpose to the user.

  7. Browser on a VM then? by Natales · · Score: 4, Interesting

    This leaves me no option but running my browsing session in an undoable-mode VM, where after a reboot, all comes back to the previous state. Will this be the only way to maintain my privacy going forward?

    1. Re:Browser on a VM then? by NevarMore · · Score: 4, Insightful

      No. You could also stop using the Internet.

  8. Privacy for 99% of people doesn't exist by h00manist · · Score: 2, Interesting

    Perhaps on paper there are privacy rights, but to a large extent only on paper. Some privacy (and security) exists for those who can pay for it, or know how to implement it.
    - Hard question - if actual privacy is only for a few, who largely use it as cover to secretly abuse the rights of the other 99%, are we defending privacy rights just for them? Put simply, transparency in government and management, accountability, public participation, are not very compatible with secrecy.

    --
    Build your own energy sources from scratch. http://otherpower.com/
  9. Re:nietzsche quote applies: by smallfries · · Score: 2, Interesting

    Why would you need to? Cached images don't get uploaded during normal page rendering. You need some sort of client-side scripting to look at the cached image. So disabling flash and javascript would be enough to turn this into a normal cookie, and disabling cookies as well would defeat it completely.

    My browser was setup that way already, but that's just the way I roll...

    --
    Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
  10. Not Really by Greyfox · · Score: 3, Insightful
    It might just drive more users to noscript and flashblock. I have to explicitly trust a site before I allow it to do those things, and if I happen to run across a site that requires them during casual browsing, I do not allow them access to those capabilities. If you're the sort to look over your shoulder that much, being able to browse the web with some level of comfort should more than offset any degradation of the web experience.

    Advertisers and site operators might complain that this behavior costs them revenue, but they should have thought about that before going all Big Brother on us. If you're going to try to trick me into clicking an ad on your site, I don't want anything to do with your site anyway. And I do occasionally click through ads on Slashdot and Google.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    1. Re:Not Really by Chatterton · · Score: 2, Insightful

      It will not drive more users to noscript and flashblock because then websites will not 'just work' anymore and it will be a pain to them to whitelist every script they don't know what they do for every websites one by one...

  11. Re:virus by frizzantik · · Score: 2, Interesting

    It's written by the guy who wrote the myspace virus so it's not really surprising

  12. At least Linux users can... by WarmBoota · · Score: 5, Informative

    symlink the LSO folder to /dev/null

    --
    90% of everything is crap. Also, crap is relative.
  13. Re:Do these people have no concept of web design? by SQLGuru · · Score: 2, Informative

    Programmers don't always equate to good designers. And good designers probably aren't good programmers. (Exceptions exist, but true for the most part).

    Otherwise, we wouldn't have terms like "programmer art".

  14. Re:The PNG thing isn't that unexpected by kill-1 · · Score: 2, Informative

    That's something different.

  15. Wonka by Anne_Nonymous · · Score: 3, Funny

    The Invulnerable Evercookie sounds like something dangerous from Willy Wonka's factory.

  16. Samy is my hero by thijsh · · Score: 2

    a 'security' guy

    You know this guy is Samy Kamkar, the hacker who also unleashed the first-ever XSS worm on the world that infected a million MySpace profiles in a matter of hours...

    Tomorrow I happen to attend a meeting of OWASP where Samy will speak about the latest XSS exploits, other JavaScript tricks, and other things (like a nice new method of NAT penetration)... I could say the title 'security guy' is earned by him for finding some great hacks and sharing them with the world, and even taking time to talk about it in person to the open source community.

    but most of all, Samy is my hero

  17. Doesn't work as advertised by synackpshfin · · Score: 2, Informative

    With Firefox 3.6.10 on win 7: - visited evercookie page - Tools -> clear recent history - close browser - run ccleaner - visited evercookie page again and got new cookie ID I'd say it is not as persistent as it says...

  18. Cookie? by kurokame · · Score: 4, Insightful

    Let's see. A remote website infects your computer with code which does things on your system without your consent and resists your attempts to delete it through the use of hidden copies. I think we have a word for this already. Starts with a V.

    1. Re:Cookie? by Haedrian · · Score: 4, Funny

      Vista?

  19. Re:nietzsche quote applies: by MozeeToby · · Score: 5, Interesting

    Rather than disabling and trying to defeat all these tracking mechanisms I think it would be easier to flood them with false information. Someone should set up a cookie sharing site and FF extension that trades (safe, non-identifying) cookies amongst all the users of that extension. Why yes, I did visit mylittlepony.com directly between visits to journalofparticlephysics.edu and horsesluts9.com, why do you ask?

  20. Re:force-cached PNG's by StuartHankins · · Score: 2, Informative
    What? On Firefox 4.0b6:
    • Click the "Privacy" tab.
    • Choose "use custom settings for history".
    • Check the box that says "clear history when Firefox closes". Optionally choose only certain items to be cleared.
  21. Need a BetterPrivacy for HTML5 storage by GameboyRMH · · Score: 2, Interesting

    Marketing scumbags are already exploiting the lack of privacy controls on HTML5 storage (window.localStorage for one) in the wild, and once scripts are running no plugin will take care of that. As browsers continue to be swiss cheese where privacy is concerned, a BetterPrivacy-like plugin to clear these storage locations will be needed.

    Seriously, AFAIK NO browser even handles Flash cookies AT ALL by default, and those have been a problem for years. When are Microsoft/Apple/Google/Mozilla/Opera going to fix this instead of adding eye candy and having benchmark wars? Securing a browser these days is like making a cheese grater float. Average Joes are being left totally defenseless. Handling flash cookies, cache, and HTML5 storage like regular cookies is the minimum fix that all browsers should adopt RIGHT NOW.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  22. Demo didn't work for me by lullabud · · Score: 2, Interesting

    Am I the only one doing the demo on the page and having it fail completely? I just tried it in Firefox and Camino on OS X and neither worked.