Slashdot Mirror

← Back to Stories (view on slashdot.org)

Introducing the Invulnerable Evercookie

Posted by CmdrTaco on from the evil-and-clever dept.

An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."

17 of 332 comments (clear)

  1. Not hard to beat at first glance. by grub · · Score: 4, Informative


    evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs.
    [...]
    If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.

    Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.

    YMMV

    --
    Trolling is a art,
    1. Re:Not hard to beat at first glance. by Shrike82 · · Score: 4, Insightful

      That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown. YMMV

      I take your point, but most people use neither of these things and will be at the mercy of persistent tracking. Of course anyone who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies). Especially since "Private Browsing" modes have been shown to retain information.

      --
      You can advertise in this sig from as little as £99.99 a month!
    2. Re:Not hard to beat at first glance. by h00manist · · Score: 5, Insightful

      who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies).

      There's all kinds of databases on people available. Search and you shall find.

      All data circulates easily and is simply very hard to stop. It is indeed like speech, it just happens, anyone can do it. Copyrighted data, personal data, credit data, secret data, whatever. Bottom line, gathering and selling various gray-black-market data is illegal immoral etc, and very doable and very interesting for companies and organizations of all types. Not unlike downloading movies is for many - illegal but easy and interesting data. It's the interests that are different.

      --
      Build your own energy sources from scratch. http://otherpower.com/
    3. Re:Not hard to beat at first glance. by Kvasio · · Score: 4, Informative

      running browser in Sandboxie would also do the trick

    4. Re:Not hard to beat at first glance. by dkleinsc · · Score: 4, Insightful

      Thhe purpose of "Private Browsing" isn't to protect your privacy from websites while you surf, it's to protect your privacy from your SO when she comes home and sees your web history.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
  2. And now... by Haedrian · · Score: 4, Insightful

    Whenever someone goes through all the trouble of adding additional ways of tracking people - someone goes through all the trouble of finding ways of removing it.

    There's no such thing as Invulnerable - See also: DRM and Copy-Protection

  3. Re:Remember? by Haedrian · · Score: 4, Informative

    Well, html is unable to save session information. So you need cookies for that. There is no other reliable and non-user-unfriendly alternative.

    When you 'log in', you are given a cookie, which the page reads and uses to identify you. That's one of the more common 'useful' uses for cookies.

    Cookies can also store small amounts of data in them (ever been to a website which tells you "Pick Language" and then lets you "[ ] Always remember this choice"? That's also a cookie.

    And last but not least, they're good at identifying you so that other adverts (on other sites) note the cookie and are able to link your presence on Site A to the one on Site B then data-mine

  4. Developers take note by Monoman · · Score: 5, Insightful

    If you have to go to great lengths to work around customers doing things like deleting cookies then you are doing something wrong or evil.

    --
    Keep the Classic Slashdot.
  5. Re:"That's the great thing about evercookie" by Pharmboy · · Score: 4, Interesting

    You can't blame someone for a "method" when it is openly explaining how it is doing what it is doing, using the existing software. Yes, he is pushing it as a "feature", when it is in fact due to a flaw in the overall design of all browsers. It is much better for the information to be released like this than to find out a year after it is fully integrated into every piece of malware.

    Hacking at its finest.

    --
    Tequila: It's not just for breakfast anymore!
  6. Browser on a VM then? by Natales · · Score: 4, Interesting

    This leaves me no option but running my browsing session in an undoable-mode VM, where after a reboot, all comes back to the previous state. Will this be the only way to maintain my privacy going forward?

    1. Re:Browser on a VM then? by NevarMore · · Score: 4, Insightful

      No. You could also stop using the Internet.

  7. Re:"That's the great thing about evercookie" by Anonymous Coward · · Score: 5, Informative

    it's not his research either. this has already been observed in the wild and already reported by ars technica.

    http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars

    the advertisement company got already sued for it.

  8. Re:"That's the great thing about evercookie" by PhilHibbs · · Score: 4, Insightful

    There's no possible justification for this project.

    "To show everyone what the black hats and spammers are going to be doing", sounds good enough to me.

  9. At least Linux users can... by WarmBoota · · Score: 5, Informative

    symlink the LSO folder to /dev/null

    --
    90% of everything is crap. Also, crap is relative.
  10. Cookie? by kurokame · · Score: 4, Insightful

    Let's see. A remote website infects your computer with code which does things on your system without your consent and resists your attempts to delete it through the use of hidden copies. I think we have a word for this already. Starts with a V.

    1. Re:Cookie? by Haedrian · · Score: 4, Funny

      Vista?

  11. Re:nietzsche quote applies: by MozeeToby · · Score: 5, Interesting

    Rather than disabling and trying to defeat all these tracking mechanisms I think it would be easier to flood them with false information. Someone should set up a cookie sharing site and FF extension that trades (safe, non-identifying) cookies amongst all the users of that extension. Why yes, I did visit mylittlepony.com directly between visits to journalofparticlephysics.edu and horsesluts9.com, why do you ask?