Slashdot Mirror
Un-killable 'Evercookie' Killed ... Sometimes
Trailrunner7 writes "The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user's machine, known as the 'Evercookie,' is even more worrisome when used on mobile devices, according to another researcher's analysis. The Evercookie is a simple method for forcing a user's machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it. A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does."
For forum administrators, it is a very clever way to keep many ban evaders out. While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again. Read the list of the places it stores its cookies, and be amazed how many there actually are. So, 1) ban user, 2) place cookie, 3) user signs up again, 4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).
Dvorak on Doomtech
I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
Better solution. Do all your browsing from a virtual machine running in non-persistent mode.
That's not the solution. The whole point of the "evercookie" is that it doesn't just use regular HTTP cookies to store information, but also abuses all kinds of common browser features related to CSS, caching, embedded Flash objects and anything else that can be exploited to store state. If all he did was store a cookie only, then any browser worth its salt could easily purge it from the browser history.
So even if you just block cookies, that doesn't prevent this hack to work. You may need to block a whole range of features from JavaScript to HTTP caching to Flash support. It's certainly possible, but not something that an average user is prepared to do.
A combination of FlashBlock and perhaps RequestPolicy, combined with caching set to 0 and a block on the ever cookie creator domain results in no ever cookies being successfully set on FF 3.6.10 on RHEL 5.4 - I'd venture to guess it will be the same for other OS running FF at least.
If I don't block the domain cookie creation then just a standard cookie is created.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Now that the Cookie Monster has gone all health food we cannot rely on him to help us out here.
Monstar L
so? how does it work?
A researcher from AFRICA is looking into these cookies on SAFARI! That's a great joke.
It mentions mobile devices.. you could just use Skyfire and get flash without having to worry about flash evercookie issues since it's rendered remotely
Just run the browser inside a sandbox http://www.sandboxie.com/ and regularly delete the sandbox contents.
I admit I didn't RTFA but why are they talking about Safari? Are other browsers immune? Is any browser immune?
With Adblock plus, NoScript and BetterPrivacy Firefox addons I had to whitelist the domain before "Evercookie" would even work. And even then as soon as I revoked permissions for everything except NoScript the only bit that stuck was the cache image "cookie". Considering there are already addons to prevent normal cookies and flash cookies it would take all of a day, after this method for "eternal cookies" appeared in the wild, for an addon to be released that blocked it.
The only message from this and previous articles is "most people are stupid and don't follow basic steps to maintain their security and privacy".
========
CINC, 4th Penguin Legion
Workstation rebuild every couple of months. Its a great way to scrub out those nasty zero day trade viruses too.
For Windows PCs.
Install CCleaner. De-select the option to only remove files older than 24 hours. Flush all browser cache, temp files, and temp application items. Basically, select all except for the "Wipe Free Space" option. Reboot, run again to be sure.
Evercookie should be nuked from orbit.
Life is not for the lazy.
This is no different than hacking your placing something on a computer that dont belong to you.
That the owner of said computer dont want.
You should be able to file charges.
Any attorney general not all over this is a pile of human shiit.
Just boot up a VM, with the user's home account created in ramdisk upon bootup. The rest of the system is read-only (ala diskless linux).
The evercookie is cleared upon each bootup.
Don't accept cookies.
No, not a solution. RTFA. It doesn't matter whether you accept cookies or not. The only two methods of protection are (a) use Safari in private browsing mode, and quit and restart the browser between each and every site; or (b) block absolutely all javascript everywhere without any exception ever. Neither of these is really satisfactory.
Plus, these evercookies transfer from one browser to another because they get stored as LSOs.
Some of these comments are fun as hell. In a moving attempt to show manhood, the random slashdotter boldly states: "Heck not on my machine, y'all! I use a combination of rat poison, anthrax and a couple nukes every 3-4 days on the hard drive: the evercookie can't do anything to me"... Fun times.
While the "Evercookie" is a mildly clever way to track people who don't know how to set up their computers properly, it's far from permanent on a moderately well set-up system.
:: Clear Browsing Data in Chrome's menu.
I just tested myself, in Google Chrome. I can clear the "Evercookie" from my system so it can't recognize me, without using any third-party software or extensions, and without even having to restart the browser or close any tabs except that which set the cookie. (Might not even have to close that, but couldn't be bothered trying.)
All that's required is to visit the Silverlight and Flash websites, disable local application storage, then go to Tools
Hey presto, the cookie is completely gone and can't be restored by the site. It really couldn't be a whole lot easier.
That is pretty nasty.
Did anyone test FF or Chrome private browsing mode? (and no, I won't RTFA, who wants to risk a cookie like that?)
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
Even I'm not prepared to do that and I don't consider myself average (nor above average, but whatever).
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
Don't accept evercookies.
They are made in highly automated hollow trees by elves with no visible means of support in a forest alleged to be enchanted.
yes someone when to much trouble to get deep tracking in every web device sold or 'given' away.
Some strange "law enforcement" junk ad banner on a site of interest could be very useful.
Who would give it a second thought or think to do some deep clean.
One visit via a spammed link in a dark forum, chatroom and you track yourself with your own hardware.
Domestic spying is now "Benign Information Gathering"
Ah, but for mod points...
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Don't accept cookies.
Also use Links2. (Links is crap, of course. ANd only losers use lynx...)
Back in the real world, some of us do actually want to use the web for doing more than viewing static HTML pages. One or two of us even appreciate those awful persistent logins that cookies enable...
NeoPacman just need to take the red pill, and will be ready.
These brownies give me the munchies
And do not run flash.
I find sandboxie does a fantastic job of killing the evercookie every single time. Are CS professors lacking in education lately?
If your browser runs in a sandbox that is destroyed when you exit the browser, the evercookie cant live... No way no how.
Do not look at laser with remaining good eye.
Its reasons like this and others I no longer run my browser under my own user account. I have a separate account I run the browser as, actually two there is one I use just to access my bank, and give it permissions on my X server. It has no group memberships that will let it do anything other than read access to system binaries and libraries, basically its only a member of users. I than give my own user account permission to run the browser as the other user with sudo.
This way I can delete the entire home directory from time to time, or anytime I suspect something fishy has happened.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
ok who has the right to place a cookie, that cant be deleted by the computer owner? That sound like malware to me even if its not an exe it collects data and sends the data when requested. Who would be stupid enough to place undeleteable cookies anyways? the repercussions would not be very good for there business. On a side note i don't believe web sites,business have the right to spy on where i come from or where i go outside of there site,they do however have the right to see what we do on there site. If you want information from a user ASK,don't TAKE without asking
Jack of all trades,master of none
why do users have to jump through FLAMING HOOPS to get privacy?
Every new "security update" brings with it unwanted features that compromise your security (webstore...)
The technique he dreamed up will be copied by thousands of not-so-nice people and companies.
And since most internet users are idiots, the new evercookie system will work on >95% of computers.
All slashdot readers know how to sidestep this sort of thing.
But most non-slashdot people are clueless.
How does that prevent HTML5 local storage? How about the BrowserHistory storage? (e.g. domain/path/unique/1st-byte, domain/path/unique/2nd-byte, etc.) And CSS history storage? The most ingenious method is PNG RBG value storage! You block all images too?
I use NoScript (but I still temp-allow the primary site, otherwise why browse at all), CookieMonster in whitelist-only mode, and BetterPrivacy to delete flash LSOs on startup and shutdown. This still does not prevent the Ever Cookie.
Did anyone here read the original documentation?
Seems to me such stuff could be defeated (or at least rendered easily findable) if the browser is only allowed to write data to certain directories regardless of what some script might wish, unless the user actively specifies elsewhere (such as to save a download). Also seems to me this could be programmed into the browser so the user need not worry about it (indeed, would not need to even know about it).
Someone will probably point out flaws in this scheme, but the concept is to make the "cure" as simple as possible.
~REZ~ #43301. Who'd fake being me anyway?
Yeah, it doesn't get any simpler. How come browsers don't just block this with a simple line of code.
I'm seeing a lot of sudden chatter about something called 'epoclick.com'. It seems to be some form of redirect. I've seen reports of it affecting Firefox and Chrome, in Windows and OS X. It sounds like an Evercookie to me. I really hope it's not a virus.
This cookie is hard to remove? Really? I spent less than 5 minutes and defeated it. This thing is a joke. Just use the private browsing option in Firefox or Chrome; simple. I cannot fathom why this thing keeps getting so much attention.
What happens when a site requires cookies to function properly (for session tracking and such) and the the EverCookies become corrupted? You can't just tell the user to "clear out their cookies" to solve the problem. You've just permanently broken your website on that computer unless you do allow a way for a user to remove them.
From reading the list of attacks I think Lynx should be, provided you tell it not to store the "normal" cookie.
as far as I can see, not all cookies have to be deleted to twarth this 'evercookie'. It seems far easier to simply swap the cookie data in accessible places, tricking the script to return erroneous data. However, this could be defeated if the cookie content was signed to prove its origins. Furthermore, I'm curious as to whether or not this type of cookie could potentially work across domains, considering the multitude of data storage methods that may not all be isolated to a single domain.
If you're interested, I updated the entry to make the *two* problems clearer (there's a much bigger than evercookie privacy problem on the iPhone) and what I think Apple needs to do to fix it. http://singe.za.net/blog/archives/1016-Killing-the-Evercookie-Part2-MobileSafari.html
What about this extension?
I would, but I don't think there's an app for that.
Nevermind. Been reading up... damn these things are vile...
So we need a browser that runs in its own sandbox and disables a ton of standard user features.
Advertiser scum.
> Don't accept cookies.
RTFA
I just called the Cookie Monster, and let him deal with it.
Visit CryptoGnome in his home.
Evercookies my arse.
Is the evercookie generator a script? Because if that's the case, you could just block the script.
I am not devoid of humor.
It might have been malware (maldata?) if the guy had sold his work to unscrupulous companies. Instead, the researcher who developed the Evercookie has done us all a favor: he published exactly what Evercookie does. This makes everyone aware of the problem, and you can bet that browsers and add-ins will address the problem soon.
Evercookie makes it clear that browsers need a central administration panel to manage all data that can be stored - directly or indirectly - by websites. I expect that the next major browser releases will include exactly this.
Add-ins like Flash are a more difficult problem: Really, they should only be allowed to store data through the browser, so that their storage can also be properly managed. However, Adobe (and Microsoft, and Apple, and...) will try to keep this off the radar screen.
Enjoy life! This is not a dress rehearsal.
Even I'm not prepared to do that and I don't consider myself average (nor above average, but whatever).
Yes yes, pedantic, just mod me down, but what you are saying there is you considerer yourself below average, which is probably not the point you were trying to make.
1) Reformat and reinstall OS
2) Restore HD backup (yes, some of us back up our data)
3) Put the browser in a sandbox and clear out the sand when you are done
Solutions 1 and 2 already work on every virus ever created.
From a link in the article that takes you to Jeremiah Grossman's site: http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html
/home/$USER/.macromedia/Flash_Player/#SharedObjects/
/home/$USER/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
/home/$USER/.adobe/Flash_Player/AssetCache/
3) Delete Flash Local Shared Objects (LSO)
Go got the Flash "Website Storage Settings panel"
Click "Delete all sites"
Click "Confirm"
Adobe's "Website Storage Settings Panel" does NOT remove Flash Local Shared Objects from your hard drive; it only removes them from the list that the panel shows you. Look in the following directories after you run it.
I browse in a VM that reverts all disk changes when it is powered off.
Tinfoil hat owners, spooks and company are likely busy with this stuff. People are never concerned of course - they are protected by their privacy laws -- on paper. In practice,all sorts of illegal data is *never* secretly collected by *any* weird groups, who *always* abide by all laws, and are *never* made available under *any* negotiated secret agreements or channels. Such backroom agreements and channels don't even exist, except in the minds of tinfoil hat, paranoid weird people's fertile imagination. Everyone on this side has their rights protected, except the enemy of this side and the other sides.
Build your own energy sources from scratch. http://otherpower.com/
can you modify this evercookie to do something interesting to the database that's accessing it? after all its on YOUR computer, and you don't want it. you tried to delete it, but it came back. seems to be fair game to make it do what YOU want.
No, you just need a browser that runs in a sandbox that saves NOTHING between runs of the exe. Someone in an earlier story on the evercookie suggested running in a VM, then destroying the VM and creating a new clone. All it would require the user to do is remember their passwords.
If you don't risk failure you don't risk success.
I just tested Chrome's private browsing mode. The "cookie" was set, but did not survive when the session was closed. The most likely way for the cookie to survive a private browsing mode is though Flash's Local Stored Object feature. I've not checked with firefox.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
Malware (also: scumware), short for malicious software, is software designed to secretly access a computer system without the owner's informed consent.
Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
This is the point where it starts to make sense to browse from a VMWare instance, and roll back to a prior snapshot afterward. Or, to browse from a Kubuntu live CD session. Etc...
Where is the wisdom we have lost in knowledge?
Where is the knowledge we have lost in information?
It would make actually downloading anything that you might want to download into a colossal hassle, though, so that's not really a solution.
I only browse with a virtual machine that is copied from a clean original every day ;)
Privacy is terrorism.
That's actually pretty easy to do. I recommend booting a BackTrack4 LiveCD in a VM, it comes with Firefox with NoScript and Flash installed right out of the box. If you want to download something and you're really paranoid, save it to a shared-device USB stick (closed-source VirtualBox or VMware required).
"When information is power, privacy is freedom" - Jah-Wren Ryel
I'm hoping CCleaner will still get it, then.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
lol
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
I use persistent cookies myself, but when I decide to clear them all out, I like knowing they are all cleared out. I no longer have that assurance (or option).
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
nice way to be redundant.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
You are right. I see above-average as being those over-achieving wizards of computing. I am no wizard, but nor am I Joe Schmoe using a computer only occasionally.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
Is samy kamkar, apparently
Why not just call ec.set on the tracking item's name and let the evercookie code do the unique ID stomping for you?