Related article December 13th, 2010 – Facebook: The real privacy killer
Update March 1st, 2010 – Chrome adds links to clear ‘adobe cookies’
There are hundreds of applications out there from spyware cleaners to built-in browser features that eliminate cookies on the spot, and even let you set cookie policies on your computer regarding what can be stored in your machine, and for how long.
I’m assuming that if you’re here reading this post, you already know all of the dangers of cookies on your computer. In all honesty, I don’t seriously believe that they’re the most dangerous form of movement or web tracking, but they can definitely be used to monitor more movements than a person should feel comfortable with.
What if there was a type of cookie that could:
- Stay on your computer for an unlimited amount of time
- Store 100 kb of data by default, with an unlimited max
- Couldn’t be deleted by your browser
- Send previous visit information and history, by default, without your permission
Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of can store a maximum of 4 kb of information, are manage by your browser, and by default have reasonable defaults and restrictions.
This type of cookie exists on 98% of global computers, across all operating systems. it’s the Adobe Flash Player.
The Adobe Flash Player maintains proprietary cookies called Local Shared Objects or LSO‘s. LSO’s are capable of storing 100 kb’s of information for an indefinite amount of time by default. When you clear your browser history in Internet Explorer, Firefox or Opera on Windows, Linux, or OS X LSO’s are not cleared from Adobe’s local repository.
In fact, all the information in those cookies will remain indefinitely until they’re removed by the issuing website, or by you via a cumbersome and ridiculous process.
Unfortunately, I haven’t even explained the worst of it.
There’s no easy way to tell what sites are using flash cookies to track your movements. There’s no list, and there doesn’t have to be a flash GUI or visible application for flash cookies to be present. In fact, most websites using flash for user tracking don’t create GUI’s, toolbars, or applications that you can actually see in your browser while browsing the site.
Many times a tiny flash module, 2 kb in size or less is loaded into your browser on every page visit in the same way a gif, jpg or other image is. The whole purpose of this tiny, invisible flash module might be to simply record the page request, and your username or other session variables.
Alright, so now you’re sufficiently convinced that this is creepy stuff. Let’s talk about how to get rid of it?
Lame as it might be, the Flash Player has no ability to delete cookies. And as I’ve already said, your browser can’t help you out. It doesn’t even know these cookies exist! Most of the privacy settings for Adobe Flash have be accessed via a flash application on Adobe’s website called the Adobe Flash Player Settings Manager.
If you want to access the Settings Manager, you can do so here. In fact, open it up now and let’s take a look.
If you’ve clicked the link above, then you’re looking at the Flash Player Settings Manager, and a list of all the sites currently storing information on the cookies stored on your computer.
Looking at my list, I see over 100 websites that have been accessing the same cookie for the last year (the last time I formatted my computer). Some of them are storing only 1kb of information, some are storing the full 100 kb’s. On my own computer, I see that my bank is storing flash information despite the fact that there isn’t a single flash application visible when I log in to check my balance. I see Youtube, CNN, Microsoft, Rotten Tomatoes and a ton more!
To delete all the Flash Cookies currently being stored on your machine:
- Go to the Settings Manager (Website Storage Settings)
- Go to the far-right tab
- Click “Delete all sites”
To prevent websites from storing any more information on your computer:
- Go to Settings Manager
- Click the Second Tab from the left (Global Storage Settings)
- Set the Storage Settings slider to None
- Uncheck “Allow Third Party Flash Content to store data on your computer
There are several other “privacy” settings on the other tabs, but don’t be persuaded. Most of those privacy settings have to do with whether or not websites can access your microphone and webcam. There isn’t a single cookie option on any of the privacy tabs on the Settings Manager.
Adobe, as a global leader in browser technology (a 98% computer market share), has a responsibility to make Privacy Options easily accessible from within the Player application itself. They also have a responsibility to set reasonble default limitations. It’s ridiculous that they would enable websites to store cookies indefinitely, and in such large sizes.
Is Adobe intentionally allowing websites to abuse privacy? You tell me. Comments Welcome.
edit: changed Macromedia to Adobe. Sorry, I’m from the ‘ol days.
Increase your e-mail privacy: Anonymous E-mail Boxes with makemetheking.com
good advice
Hello! I’m at work surfing around your blog from my new iphone 4! Just wanted to say I love reading through your blog and look forward to all your posts! Keep up the superb work!
What a bunch of crybabies and fearmongers. What is really the most that can be done through the Flash LSO? Are you afraid that your wives will somehow find your saved preferences from all of the porn video sites you’re visiting?
I always thought Adobe was far more vulnerable to attacks than even MicroSoft. Maybe it was their buggy software…
Now it turns out that Adobe was not only vulnerable, they are in the middle of creating this monster.
It is obvious they don’t give a damn about anyone’s privacy, and likely never did.
What a bunch of turds.
Microsoft does not have a capital S in the middle.
kene is absolutely right here!
apparently they should be spelled with a capital $
IT Pros have the ability to solve the Supercookies problem on their business PCs. Quick how-to video from PolicyPak: tinyurl.com/3dxu32a
Wow,
Thanks for the info. I downloaded Mac Lion and kept seeing cookies come back instantly as soon as I started surfing, even though I would set all the security settings to high and always block cookies.
I’ve always known how to delete cookies, I came here looking for a way to not fing delete them, I play flash games a lot and I keep losing my fing progress, that’s really lame, I want to have control of my damn cookies as I had before 10.3 fuck it
In Linux, just add “rm -rf ~/.macromedia/Flash_Player ~/.adobe/Flash_Player” to ~/.bashrc or your Crontab. That way, all Flash cookies and settings are erased frequently. If you just want to erase the cookies, and not Flash settings, you need a more detailed “rm” call. For historical reason, some Flash things are stored in ~/.macromedia whereas other things are stored in ~/.adobe.
In Mac OS X and Windows, add appropriate “rm -rf” and “del /y/s” calls to the appropriate places.
I had been questioning occasion you ever considered altering the layout with the website? Its really correctly created; I enjoy what youve obtained to convey. But possibly you are able to small much more with respect to content so males could talk with it greater. Youve obtained a total lot of text for less than getting a single or two images. Maybe you’ll be capable of area against eachother greater?
@Hans-Peter Dollhopf: of course it does; just make it erase the Flashplayer directory. I use Opera which I close down with “Delete private data”, and after that I run Ccleaner to erase all flash cookies and also throw out other eventual temporaries.
FIREFOX – PLUGIN:
BetterPrivacy, and the dirt is gone.
We need a multi-browser cookie-cutter. I ALWAYS block third-party cookies, and only enable cookies for specific sites (to save logging in all the time). I’ve even noticed on eBay that some vendors have third party cookies embedded in their ads because I get warnings about “third party cookies”. If I visit a site that requires enabling of what I consider to be too many cookies, I dump the site instead.
TonyS December 3, 2010 at 12:28 pm said:
“CCleaner … removes all flash cookies”
No! I tried it out. No!
While FF’s BetterPrivacy does.
Interestingly enough, Adobe’s Settings panel told me I had 0 flash cookies stored. But opening Firefox and a quick look with Better Privacy told me I did, in fact, have one. I deleted it, of course – but WTF? Now Adobe tells us there’s nothing from them when Firefox says there is? Fascinating…
The flash cookies are actually stored in two locations:
\AppData\Roaming\Macromedia\Flash Player\#SharedObjects
and
\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Using the macromedia settings manager only deletes those in the #sharedobjects folder. CCleaner (free at download.com) removes all flash cookies from both folders as well as all other traces of user history. It also has some other useful tools.
The best way to get rid of the files (on a mac) is to lock the “Flash Player” folder in the get info box. That way they don´t get stored in the first place.
There is a real easy way to ditch these things. Get Firefox and add the Better Privacy Plug in. It automatically checks for the things and allows you the option to delete them. You can also choose to protect some if they are crucial for some site you use. It gives you away to keep an eye on them. As far as I can tell, if I’ve been using another browser and then open Firefox it’s killing those LSO cookies too, judging from the fact that too many pop up when I’ve only been on one site.
I’m glad to know there are other ways though. My Firefox has been giving me issues since the last 2 upgrades.
Great post. I was horrified when I found the history list of every single site I have been on, on THEIR SERVER! I just wish an Adobe Flash WORKING alternative would be available. I HATE THEM and their products.
Thank you so much. After hearing on the nightly news about super cookies I was very concerned as the news gave no real information on how to solve this problem. You did on a Google search. Thanks again.
Tinfoil-hat fearmongering, go.
Thank you, thank you, thank you!! FINALLY I figure out how I'm being tracked. Adobe is the culprit. Grr to Adobe. GRRR.
the best so far out there to remove flash cookies is an ad-on by Firefox we will never have privacy Big Brother is out there and I say this with a sadness have a good internet security and I do recommence better privacy in fire fox
Hi -
Good article. There's a similar write-up at http://sazeit.com/main/Flash-Cookies which points out that those using Firefox can get the BetterPrivacy plugin to manage the flash-cookies from their browsers.
You raised some really good point about the default settings implemented by Adobe and the simple fact that Adobe, though not hiding LSOs, is not doing anything to advertise their existence either. — If you recall, Adobe was a Mac-linked product for many years before gaining prominence on Windows machines, and Mac's attitude was, is, and most likely always will be "you don't need to know".
Good information. Lots of people know that Adobe stores Flash Player locally on their machine because Flash is so ubiquitous. But I have to believe that most people have no clue that it includes cookie-like objects that track browsing activity. I'm surprised these objects are not configurable at the browser level. Thanks for the post!
exactly..this is what i was looking..thanks a ton for writing about flash cookies
@ opinar:
If this is the best thing you have to block spammers, you are truly defenseless. If it actually worked well, spammers would just trash the LSO's regularly and soon all your base would belong to them.
@Kyle Simpson:
So you REALLY think it's okay to have a browser object that you install which does the following?
1. Silently makes a history of almost every site you have ever went to.
2. Gives you no warning that it is doing this.
3. Keeps this history indefinitely.
4. Makes you go to their own website to clear this history.
I'd have to say no to all 4. I'm not one of those people who has ever spent an instant whining about "evil cookies." With standard cookies, they're integrated into browsers and the OS. They're established, well publicized, and have reasonable, customizable policies for management.
If Adobe's best "reasonable and customizable" policy is to not publicize that they do this and give you no way to delete these via local machine or browser? Well, I don't care what their intent is.
- If they are "VERY concerned with properly managing these LSO" then why aren't they informing users when they install flash?
- If "This may not be as graceful as your browser’s cookie management" then why don't they… GASP, work within the browser's own data management? Or give a good API to browsers which allows them to manage ubiquitous Flash LSO's? If you're basically reinventing the cookie in a bigger form, couldn't you even imitate the same paradigm?
- Why can't Adobe manage these things half as good as a third party? Seriously. Better Privacy firefox add-on. Has just about all basic settings and views that I need to manage LSOs. Probably made by some annoyed guy over the course of 3 weeks worth of lonely evenings.
To me, it seems like a cop out. Regardless of how "worried" Adobe is, they have done a horrible job at allowing users to manage these things. That's like saying that a parent is "worried" about child safety while their kid is playing in the street. At some point in time, outcome matters. And these things have been around for a couple years now, so being able to work this out is inexcusable.
i love you so much i like you
If you rename the macromedia flash folder you can't listen to streaming radio.
Locks up mouse clicks w/ cpu @100%. Weird, just pulling up Task manager
[alt-ctrl-del] allows mouse clicks to turn off site normally though still at 100%.
Well, from a webmaster's point of view, it's one of the few things we have to block spammers, so as creepy as it may sound, I am in favour.
This post is mostly FUD. Yes, LSO's ("flash cookies") exist, and yes lots of sites, even reputable ones, use them (in addition to regular cookies), especially for advertising tracking because they are more persistent and because they span browsers.
But the global settings manager you mention is accessible from ANY flash movie on ANY page by right-clicking and clicking "Settings". There are a number of settings that let you completely turn off LSO's or limit their size. You can also white-list or black-list sites by URL.
For instance, the "Global Storage Settings" tab has a setting for the default size of all new LSO's, as well as two check boxes for controlling special LSO content (third party content and common flash components). If you change those settings to something more palatable, and you then remove all the existing LSO's via the process you mentioned above, then you should be safe from such fearful "abuse" in the future.
This may not be as graceful as your browser's cookie management, but it is functional and if more people knew the steps it wouldn't seem so scary and offbeat.
I've actually personally worked with Adobe on a couple of occasions regarding bugs with this specific system and have found them to be VERY concerned with properly managing these LSO's and such. They are currently working on a redesign of this Settings Manager's UI, at my behest, so that it's more user-friendly for just these tasks.
But one of the points is that Flash can be present on a web page and not displayed? So you could presumably be tracked and never have viewed a Flash object. Adobe is evil and shame on any web site using it.
Sorry, my comment should have been addressed to MK, not freezy.
freezy, web browsers prompt users for authorization before allowing sites to use HTML5 Local Storage. Also, unlike Flash LSOs, local storage will be subject to the private browsing modes in browsers like Firefox and Chrome.
Please read the HTML5 Local Storage spec. It is going to implement a very similar if not identical, hard to spot, hard to delete cookie.
HTML5 will implement this the same way Flash, Gears, and Silverlight do today. It's called persistent storage and is necessary for a better browsing experience.
If your gonna player hate – do it to the browser makers because it's up to THEM as to how hard or easy it is to spot and/or delete these types of storage.
Deleting Flash cookies as per method outlined above does not remove full history.
Prying eyes can still see where you've been ( at least on my Win 7 machine) by going to:
C:Users#username#AppDataRoamingMacromediaFlash Playermacromedia.comsupportflashplayersys
Delete all files in sys folder to clear history.
All of the flashcookies are seem to be sent to Google via s.ytimg.com
If its big business, its bad business. Sony rootkits indeed!
..it works along with antispyware/antivirus sofware depends what kind it is a lot of these comments are worthwhile trend micro
Just learnt about this today. I delete cookies manualy everyday after I quit my browser. There is a program called Flush which takes the pain out of deleting Flash cookies here…
http://machacks.tv/2009/01/27/flushapp-flash-cook…
There are links to the windows version there too.
I now know who's side I'm on in the Apple vs Adobe war.
Screw Adobe.
@Harold wrote:
With WinXP :-
VISTA: This worked for Vista as well. The path is a bit different. Here it is:
Users >[USERNAME] >AppData >Roaming >Macromedia >macromedia.com >support >flashplayer >system
ALSO
Users>[USERNAME]>AppData>Roaming>Macromedia>Flash Player>#SharedObjects>[Random string of letters]
Thanks so much!