Feeds

back to article Über-zombie cookies give us the fear

Privacy activists got hot under the collar about the use of flash cookies to respawn traditional website cookies* but an even more persistent type of cookie that's almost impossible to kill off may lie just around the corner. So-called in invulnerable evercookies use eight different techniques and locations to hide on tagged …

COMMENTS

This topic is closed for new posts.
Silver badge

what a great idea

1/2 cookie, 1/2 rootkit :-D

bastards

10
1
WTF?

Bar room lawyers assemble!

Surely an attempt to use any such cookie would be illegal in a whole raft of countries...?

3
1

in other news....

You can purchase for a small monthly fee, a evercookie remover!

Please send monies to Mr L. Agos, Nigeria Street, Your town.

2
0
Bronze badge
Thumb Down

Yawn at the clever script kiddie

They will still be as easy to block as Flash cookies - just a few more locations to find is all

1
1

Does this work when I erase my session on exit?

As far as Firefox tells me every cookie and cached object is removed when I close Firefox (Including Flash cookies but only with an add-on).

So: are Mozilla lying to me, will this not work on my machine, or do I have to wait for a Firefox "Special HTML5 new persistent data" edition?

0
0
Silver badge

Yes

The cookie privacy options do the same thing for DOM Storage data in Firefox. Flash cookies can be deleted with BetterPrivacy. Web history can be set to be deleted on exit you like.

Although I must admit I don't know about the undead PNGs.

0
0
Boffin

Solutions are Straightforward

This has been around for years. In Linux, one straightforward solution is to create a small temporary filesystem for flash related storage, the contents of which won't survive a re-boot.

Some good solutions (including the above) are explained in this thread:

http://forums.fedoraforum.org/showthread.php?t=232855

1
0
Bronze badge
Boffin

another solution

Find out where it likes to store the cookies and remove write permissions from the folder - then the cookies can't set in the first place - works for any OS where you can fiddle with permissions

0
0
Grenade

fighting Flash cookies via file permissions doesn't work, as Flash seems to gain root privs

I've done some experiments, at a root bash prompt, setting file permissions on "settings.sol" (the Flash "master cookie").

When I run Flash as a normal user, the Flash changes the file permissions back to what it wants them to be. It appears Flash is somehow gaining root privileges (or convincing a root-privileges program to do the dirty work on Flash's behalf). This is unsettling from a security perspective.

I have more VMs to build and more experiments to do... :-(

2
0
Boffin

Not So Fast ...

Some applications/plugins cease to work properly if you remove write permissions, hence the temporary filesystem method.

1
0
Silver badge
WTF?

There must be a hack for these, any day soon

In reality these are detrimental to the adoption of HTML 5.

It's bad enough having to clear out Flash cookies. Maybe the Washington politicians could pass a bill ...

4
2
NB
Flame

kill it with fire

then nuke it from obit, it's the only way to be sure.

8
0
Silver badge

Mmmm...

How likely is this to affect a user who usually only goes to specific sites (BBC, Amazon, here) and blocks third-party sites by default?

Surely this sort of nonsense is the playground of ad-trackers and dodgy sites? Is it worth the risk of exposure for a more serious site? Just... to track which user is which? Seems like a hell of a bother for little in return.

0
0
Anonymous Coward

Omniture & the BBC

You might be interested in this article:

http://www.theregister.co.uk/2009/02/06/bbc_omniture/

Then there's the facebook button that the BBC were using for a time that included all sorts of facebook scripts.

Just because it's an institution that you think you can trust doesn't guarantee that they will act in a trustworthy way.

3
0
Anonymous Coward

The Beeb...

...don't act that way because they are untrustworthy. They act that way because they are incompetent.

2
0
Silver badge

Bah!

I propose we call these cookies that never go stale "Twinkies".

5
0
Pint

Seconded!

Here's a pint for giving me the best one-liner laugh I've had in a while...

:-)

0
0
Thumb Up

Blimey!

What's going on? 10/10 intelligent replies? I agree with all of the foregoing. How boring.

1
1
Anonymous Coward

javascript - just say no

from the little w*****s website: "evercookie is a javascript API"

1
0
Bronze badge
Big Brother

Not very practical

There simply are too many sites that won't work without it. If you really feel that blocking untrusted Javascript will help, then use the Firefox NoScript plugin. You'll then get to decide which site's Javascript you really want to run by denying access to the rest. But if you visit more than a few sites you'll then have many decisions to make. I tried this, got fed up and found that most of the really bad and unwelcome stuff seems to be blocked by Adblocker plus which takes a few moments to setup and then just does its job.

0
0
Paris Hilton

My PC .. Your Files .. My Invoice

To company responsible for placing a cookie on my PC that reconstructs itself in multiple locations following an attempted deletion.

This constitutes an abuse of my computer equipment.

You are using my disk space and my processor time.

Please find attached an invoice to cover the disk and processor usage.

Plus my time billed in 30 minute intervals while I remove it from my computer.

{Paris - because she doesn't eat cookies}

8
0
Anonymous Coward

What about "In-private browsing" in IE

Would that work?

To paraphrase NB above

Is it too late to burn this developer, and then nuke them from orbit, as a lesson to others?

0
0
Flame

Nuke them from orbit...

Yeah, nuke them from orbit. It's the only way to be sure.

0
0
Gold badge

RGB? Nasty

"Does this work when I erase my session on exit?"

Well, if you clear your cache as well. The method of storing some image and checking RGB value is particularly nasty (I'm not sure if it's truly HTML5 specific, I think current HTML and Javascript could do this). But if the cache was cleared there'd be no cached image to check the RGB value of.

Really, though, would anyone REALLY go to this much trouble to circumvent people's wishes regarding cookies? They'll get caught for sure, and it'll be ugly for them.

0
0

can someone code

a browser that does not write anything to a physical harddisk but uses a ramdrive ? ( remember ramdrives under dos ? )

Wwhen the browsing session ends : unmount the ramdrive. Game Over.

it should be easy to create a ramdrive under windows and move the temporary file folder to that volume.

2
0
Pint

They already did it !

Use a LiveCD

0
0
Anonymous Coward

This guy ...

I did him the courtesy of visiting his website, and he clearly thinks he's a very, very clever boy.

Sadly the type who will end up doing evil for some megacorp for half what he's worth.

1
0
Thumb Down

Title

This sort of tracking/spying will also be of interest to online gaming, pokerrooms, casinos, sportsbooks etc to stop collusion and multiple account fraud.

Im sure either Firefox will allow these to be blocked by default, or the better privacy extension will be on the case if not.

0
0

This post has been deleted by its author

FAIL

Tell me again ...

why I need/want flash?

2
0
Silver badge
FAIL

yawn

Fails on Opera in privacy mode even without a restart.

0
0
Anonymous Coward

Doesn't work...

Sandboxie based browsing (currently via Iron) doesn't allow them to be persistent.

Browse to site, set cookie, verify existence, close browser, clear sandbox, browse to site, no cookie.....

0
0
Thumb Down

Next development in EverCookie technology:

Evercookie Killer

0
0
Big Brother

Break this, break that

A cursory examination of the code seems to indicate that disabling many (almost all?) of the browser features that Evercookie uses to store its persistent data would have the side-effect of breaking basic interfaces that would be necessary for the proper functioning of most modern web sites (especially AJAX/Web2.0 pages).

The use of CSS to embed the cookie into your history cache (line 580 and sundry, evercookie.js) -- if I'm interpreting things correctly -- is both ingenious and disturbing. Storing your browser history as data linked to a custom CSS attribute (line 785 and there-abouts, evercookie.js) is just as twisted.

Looks like the dev's got all the bases covered.

No doubt about it, this code is EVIL.

Big Brother, indeed...

0
0

Can someone explain

How this is supposed to work when there is no browsing history??? Seriously? I never have cookies on by default, don't have a disk cache(only memory cache), never have browsing history. What other way can they actually track?

0
0
Anonymous Coward

Preventable

1) Mods - any reason why my last few posts on various topics haven't been posted?

2) The original post :

Sandboxie prevents this - it logs all files written to, and removes them on emptying the sandbox after the browser closes. This will also highlight which files are changed/written, and thus enable removal (albeit the cache images may be hard to individually go after)

0
0
Anonymous Coward

The article is FUD - evercookie is easy to defeat

A combination of FlashBlock and perhaps RequestPolicy, combined with caching set to 0 and a block on the ever cookie creator domain results in no ever cookies being successfully set on FF 3.6.10 on RHEL 5.4 I assume the same is the case for FF on any OS.

If I don't block the domain cookie creation then just a standard cookie is created.

0
0
Go

Easy Solution #1

rm -r /home/silverwav/.macromedia

0
0
Pint

VMs might be a little overkill

So you have a /home/<user>/bin/<browser> that contains a script to delete /home/<user2> then copy /etc/skel to /home/<user2> and then su - <user2>; run <browser> and then at the end of the script rm -r /home/<user2>.

Nothing gets by that unless it can root your box. If that happens you have more problems than just cookies ...

0
0
Boffin

Undeletable cookies?

cd /

su rm *

Problem solved.

0
0
Happy

I will not lose any sleep on that

because I have several weapons to respond :

- Running the browser from a virtual machine that can be roll-backed

- Running the browser from a LiveCD

- good old text browser (yep, I'm old enough to know about its existence !)

So let them come with their cookies, I'm fully prepared.

0
0
Anonymous Coward

well

"The concept echoes Lord Voldemort hiding fragments of his soul in horcruxes in the Harry Potter books."

Well thank you for clearing that up but I'm still not sure I understand, can we have a Goosebumps analogy too?

0
0
Stop

The good news

The good news is that with cookies there will always be a traceable path back to whoever planted it there. So it looks like we've finally discovered a good use for lawyers.

1
0

Website

I hope his coding is better than his website design - paragraphs of text in Courier New? Ugh.

0
0
FAIL

Sorry, This Is Bull....

I am using firefox on a Ubuntu Linux machine. No mods whatsoever. No Flash.

I go to

http://samy.pl/evercookie/

and let him set his cookie. Then I close his page, hit CTRL-SHIFT-DEL and go again to

http://samy.pl/evercookie/

No cookie there whatsoever. Which is totally reasonable, as I configured FF to really delete all the crap - cookies, history, cache. Only my bookmarks survive.

No, Mr Smartguy, try to hack up something better, like

-sucking my Bookmarks (is it possible at all ?)

-fingerprinting by all means possible, including the IP address, DNS name and all the crap transmitted in the browser capability string.

FAIL.

0
0
Grenade

Defeating Browser Fingerprinting

One way to re-assign cookies is to use the browser capability string ("user-agent string") as a fingerprint. Here's a FF plugin to make your browser look a bit different (say like the Baidu search engine):

http://chrispederick.com/work/user-agent-switcher/

If you need capability strings, use these:

cat /var/log/apache2/access.log|cut -d " " -f12,13,14,15,16,17,18,19,20,21,22,23,24,25,26|sort|uniq

"-"

"-" "-"

"Baiduspider+(+http://www.baidu.com/search/spider.htm)"

"Baiduspider-image+(+http://www.baidu.com/search/spider.htm)"

"Googlebot-Image/1.0"

"Huaweisymantecspider (compatible; MSIE 8.0; DSE-support@huaweisymantec.com)"

"Morfeus Fucking Scanner"

"Mozilla/3.0 (compatible; WebCapture 2.0; Auto; Windows)"

"Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Creative)"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET

"Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)"

"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"

"Mozilla/5.0 (compatible; YandexBot/3.0; MirrorDetector; +http://yandex.com/bots)"

"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10"

"Mozilla/5.0 (Windows; U; Windows NT 6.1; en_US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"

"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100908 Firefox/3.6.9"

"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3"

"msnbot/2.0b (+http://search.msn.com/msnbot.htm)"

"Wget/1.9+cvs-stable (Red Hat modified)"

And if you really want to be untraceable, use The Onion Router (http://www.torproject.org/). The bastards will soon use all the entropy they can harvest out of DSL addresses. They often come from a very small pool.

0
0
This topic is closed for new posts.