Slashdot Mirror

← Back to Stories (view on slashdot.org)

Un-killable 'Evercookie' Killed ... Sometimes

Posted by CmdrTaco on from the use-silver-bullets dept.

Trailrunner7 writes "The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user's machine, known as the 'Evercookie,' is even more worrisome when used on mobile devices, according to another researcher's analysis. The Evercookie is a simple method for forcing a user's machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it. A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does."

33 of 186 comments (clear)

  1. Evercookie is clever by Nichotin · · Score: 3, Informative

    For forum administrators, it is a very clever way to keep many ban evaders out. While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again. Read the list of the places it stores its cookies, and be amazed how many there actually are. So, 1) ban user, 2) place cookie, 3) user signs up again, 4) your site detects the evercookie + new registration, 5) verify and ban again (unless the user suddenly becomes a good user, of course).

    --
    Dvorak on Doomtech
    1. Re:Evercookie is clever by Anonymous Coward · · Score: 5, Insightful

      While it is not un-killable, it is pretty much a pain in the ass to get rid of, since it will get back if you miss a single one and visit the site again.

      Didn't we used to call this kind of stuff "malware"? When did it become acceptable, no matter how annoying or unwanted the user is, to put something on their computer without their knowledge that is hard or near-impossible to remove?

    2. Re:Evercookie is clever by countSudoku() · · Score: 2, Insightful

      Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.

      --
      This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
    3. Re:Evercookie is clever by Yvan256 · · Score: 2, Interesting

      Malware is executable software. The evercookie isn't software, it's a simple marker.

    4. Re:Evercookie is clever by Anonymous Coward · · Score: 2, Interesting

      Oh please. There are plenty of malicious sites that do unwanted things to your computer that don't leave an executable. It doesn't have to be "executable software" to be malware.

    5. Re:Evercookie is clever by tehdaemon · · Score: 3, Insightful
      Malmarker then? Maldata? Evilbytes? I suppose at some level pedantry about word definitions makes sense, so fine, don't call it malware. But it is in the same 'badness' class as most malware, and needs an equally bad name to go with it.

      T

      --
      Laws are horrible moral guides, moral guides make even worse laws.
    6. Re:Evercookie is clever by The+Wild+Norseman · · Score: 4, Insightful

      Malware is executable software. The evercookie isn't software, it's a simple marker.

      The cookie resides on my hardware, doing something (tracking -- albeit doing something passively in this case) which I only wish to grant it for a limited amount of time. When the makers of this cookie make it extremely difficult to delete, which takes away the control I have over the data on my computer, then I see no practical difference between this passive cookie and active malware. Just MHO.

      --
      "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
    7. Re:Evercookie is clever by pclminion · · Score: 3, Interesting

      Just put it in the ToS for the site that you use "advanced measures to track banned users." Presto, now you're not being underhanded about it, which is really the critical difference between malware and other forms of software.

    8. Re:Evercookie is clever by Yvan256 · · Score: 3, Interesting

      If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

      Next thing you know we have teachers who think Linux is a Windows program and that no computer can run without a Microsoft OS.

    9. Re:Evercookie is clever by CCarrot · · Score: 4, Insightful

      If we on Slashdot start calling cookies "malware" then it's no different than when ordinary computer users don't know the difference between a virus and a trojan.

      Ordinary cookies don't actively fight removal by the user, and once they're gone, they're gone.

      Ordinary (non-malware) applications don't actively fight removal by the user, and once they're gone, they're gone (okay, other than some leftover user/config data sometimes, but the program itself is gone and no longer does what it was designed to do).

      The 'Evercookie', on the other hand, behaves exactly like malware in that it actively resists being deleted by the user, even to the point of rebuilding itself after deliberate removal attempts, and all for the benefit of a third party.

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    10. Re:Evercookie is clever by drcheap · · Score: 2, Insightful

      Malware is executable software. The evercookie isn't software, it's a simple marker.

      And what puts that "simple marker" on your computer? Oh yeah, JavaScript, which last time I checked is executable software.

    11. Re:Evercookie is clever by Firehed · · Score: 4, Insightful

      It's a fairly complex storage mechanism, designed to get around a user's preferences. In the wrong hands, it's very dangerous. I'd certainly call it closer to malware than, for example, the recent iPhone jailbreaks - which are so kind as to patch the security flaw that let the software run in the first place. Yet by your reasoning, jailbreaking is malware and evercookies are harmless. If you think that ad retargeting (ads that basically follow you around the web) is creepy, wait until they know with 100% certainty that you're a known user in some known demographic.

      --
      How are sites slashdotted when nobody reads TFAs?
    12. Re:Evercookie is clever by Firehed · · Score: 3, Insightful

      Putting something in the TOS to "not [be] underhanded" is, in itself, being underhanded. Or perhaps you're that one non-crawler in my server logs with the request to /about/terms, in which case I take that back.

      --
      How are sites slashdotted when nobody reads TFAs?
    13. Re:Evercookie is clever by Anonymous Coward · · Score: 2, Insightful

      Putting something in your Terms of Service isn't the same thing as informing the user, even if it's legally regarded to be so.

    14. Re:Evercookie is clever by thePowerOfGrayskull · · Score: 2, Insightful

      Not if they visit using a Live CD based OS. Ooops, sorry, just broke your new thing there. :) I'm not above using a Live CD to do things, and to collect stuff, which is stored on other things. IPs won't even help that now. Looks pretty broken. Hope the evercookie is chocolate.

      Sooo... what's your point again? What percent of the population uses a LIveCD installation? And of that percentage, what further subset does so without any persistent storage (flash drive, etc) for user settings? (And if one person replies to me "I do, so there" [or its equivalent] , consider yourself virtually smacked for missing the point.)

      I'd say it's not broken until there's a less drastic means of evading it. If the only way to do so means - a) clearing history after every page and b) disabling cookies and c) disabling javascript OR d) running a Live CD OS ... well, I think it's pretty safe to say this is gonna be around for a while.

    15. Re:Evercookie is clever by davidbofinger · · Score: 3, Insightful

      It's not the same concept but "malcontent" deserves to be coined.

    16. Re:Evercookie is clever by waveclaw · · Score: 2, Insightful
      The Microsoft-is-the-computer idea is already well entrenched. You don't buy a computer anymore. You buy Windows or your buy a Mac.

      I bought a cheap, pre-built computer sitting in the font of a store to replace one of my (cheaper, older, dead) personal development servers. It had a Microsoft OS on it. I asked for the PC tech running the store to remove the OS and give me the price difference.

      His first reply was that PC's don't work without Windows.

      I told him I was going to just put Linux on it.

      They guy has been building and selling PCs at this place for years. His reply?

      "Uh, I don't think Linux runs on PCs."

      I just waited for him to crudely zero out the boot block on the HD I was going to trash anyway, bought my 'useless' PC and walked out.

      Evercookie is just another salvo in the silly Medieval/Industrial Age Idea of a war of control between producers verses consumer. Remember to be a good sheep, don't open those, you'll void the (useless) warranty! It comes in any color you want, as long as that color is black.

      --

      "You cannot have a General Will unless you have shared experiences. You cannot be fair to people you don't know."
  2. If only... by NoobixCube · · Score: 4, Funny

    I wish I had an evercookie. A magical cookie that regrows every time you take a bite out of it sounds like an amazing idea.

    --
    Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
    1. Re:If only... by Anne_Nonymous · · Score: 4, Funny

      You shit cookies for the rest of your life?

  3. Re:Solution: by Anonymous Coward · · Score: 5, Insightful

    That's not the solution. The whole point of the "evercookie" is that it doesn't just use regular HTTP cookies to store information, but also abuses all kinds of common browser features related to CSS, caching, embedded Flash objects and anything else that can be exploited to store state. If all he did was store a cookie only, then any browser worth its salt could easily purge it from the browser history.

    So even if you just block cookies, that doesn't prevent this hack to work. You may need to block a whole range of features from JavaScript to HTTP caching to Flash support. It's certainly possible, but not something that an average user is prepared to do.

  4. Well for Linux anyway by al0ha · · Score: 4, Informative

    A combination of FlashBlock and perhaps RequestPolicy, combined with caching set to 0 and a block on the ever cookie creator domain results in no ever cookies being successfully set on FF 3.6.10 on RHEL 5.4 - I'd venture to guess it will be the same for other OS running FF at least.

    If I don't block the domain cookie creation then just a standard cookie is created.

    --
    Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
    1. Re:Well for Linux anyway by Jah-Wren+Ryel · · Score: 3, Informative

      Make the folder ~/.macromedia read only. Works with Linux, but not in Windows.

      I just tried it under linux.
      When I made the empty ~/.macromedia directory read-only, the flash plugin consistently crashed.
      So I made sure that Flash_Player sub-folder was created by the plugin first, deleted any cookie files and then did a recursive chmod -R a-w ~/.macromedia and it seems to work fine now.

      --
      When information is power, privacy is freedom.
  5. Ufortunately by antifoidulus · · Score: 3, Funny

    Now that the Cookie Monster has gone all health food we cannot rely on him to help us out here.

    --
    Monstar L
  6. Why Safari by willoughby · · Score: 2, Interesting

    I admit I didn't RTFA but why are they talking about Safari? Are other browsers immune? Is any browser immune?

    1. Re:Why Safari by BUL2294 · · Score: 2, Interesting

      For some reason, TFA only mentions Safari. No mention of IE (though Silverlight is mentioned) or Firefox, just Safari & Chrome. I don't know if that's because the author hasn't gotten around to testing Firefox or if it's immune--but Silverlight & Flash could be holes for FF.

      Frankly, I never trusted Google's ability to vet Apple's (Webkit) code for security holes... And I just don't trust Apple.

      And what the hell is "HTML5 database storage"--and why would I want to give any app persistent storage? Seems like a great way to store malware...

      --
      Windows 3.1x calc: 3.11 - 3.10 = 0.00
  7. Evercookie = Nevercookie by the_raptor · · Score: 3, Interesting

    With Adblock plus, NoScript and BetterPrivacy Firefox addons I had to whitelist the domain before "Evercookie" would even work. And even then as soon as I revoked permissions for everything except NoScript the only bit that stuck was the cache image "cookie". Considering there are already addons to prevent normal cookies and flash cookies it would take all of a day, after this method for "eternal cookies" appeared in the wild, for an addon to be released that blocked it.

    The only message from this and previous articles is "most people are stupid and don't follow basic steps to maintain their security and privacy".

    --

    ========
    CINC, 4th Penguin Legion
    1. Re:Evercookie = Nevercookie by Anonymous Coward · · Score: 2, Interesting

      Because from what you just described as necessary to keep out these Evercookies, this isn't "basic steps". This is advanced knowledge of how cookies and browser technology work and interact. Four different browser specific addons should not be required to maintain privacy, and that is the point. People aren't stupid, they just don't know. Arrogance about it won't help.

  8. Re:Solution: by Anonymous Coward · · Score: 3, Informative

    Don't accept cookies.

    No, not a solution. RTFA. It doesn't matter whether you accept cookies or not. The only two methods of protection are (a) use Safari in private browsing mode, and quit and restart the browser between each and every site; or (b) block absolutely all javascript everywhere without any exception ever. Neither of these is really satisfactory.

    Plus, these evercookies transfer from one browser to another because they get stored as LSOs.

  9. Re:Solution: by thePowerOfGrayskull · · Score: 2, Insightful

    Don't accept cookies.

    Also use Links2. (Links is crap, of course. ANd only losers use lynx...)

    Back in the real world, some of us do actually want to use the web for doing more than viewing static HTML pages. One or two of us even appreciate those awful persistent logins that cookies enable...

  10. Why I dont run my browser as me anymore by DarkOx · · Score: 3, Interesting

    Its reasons like this and others I no longer run my browser under my own user account. I have a separate account I run the browser as, actually two there is one I use just to access my bank, and give it permissions on my X server. It has no group memberships that will let it do anything other than read access to system binaries and libraries, basically its only a member of users. I than give my own user account permission to run the browser as the other user with sudo.

    This way I can delete the entire home directory from time to time, or anytime I suspect something fishy has happened.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    1. Re:Why I dont run my browser as me anymore by notsinge · · Score: 2, Insightful

      The user account you run your browser under makes no difference. This is about tracking you around the web. If you log into Google as your real identity, it sets a cookie (evercookie or otherwise), then every site you visit with adsense enabled marks your real identity down as having visited that site. You could be running your browser as whatever user you like in a chrooted Quebes VM all in a BSD jail and none of that will do a damn thing to stop this.

  11. Restrict write permissions in the browser? by Reziac · · Score: 2, Insightful

    Seems to me such stuff could be defeated (or at least rendered easily findable) if the browser is only allowed to write data to certain directories regardless of what some script might wish, unless the user actively specifies elsewhere (such as to save a download). Also seems to me this could be programmed into the browser so the user need not worry about it (indeed, would not need to even know about it).

    Someone will probably point out flaws in this scheme, but the concept is to make the "cure" as simple as possible.

    --
    ~REZ~ #43301. Who'd fake being me anyway?
  12. Evercookie does us all a favor by bradley13 · · Score: 2, Insightful

    It might have been malware (maldata?) if the guy had sold his work to unscrupulous companies. Instead, the researcher who developed the Evercookie has done us all a favor: he published exactly what Evercookie does. This makes everyone aware of the problem, and you can bet that browsers and add-ins will address the problem soon.

    Evercookie makes it clear that browsers need a central administration panel to manage all data that can be stored - directly or indirectly - by websites. I expect that the next major browser releases will include exactly this.

    Add-ins like Flash are a more difficult problem: Really, they should only be allowed to store data through the browser, so that their storage can also be properly managed. However, Adobe (and Microsoft, and Apple, and...) will try to keep this off the radar screen.

    --
    Enjoy life! This is not a dress rehearsal.