Flash Cookies: The Silent Privacy Killer
There are hundreds of applications out there from spyware cleaners to built-in browser features that eliminate cookies on the spot, and even let you set cookie policies on your computer regarding what can be stored in your machine, and for how long.
I’m assuming that if you’re here reading this post, you already know all of the dangers of cookies on your computer. In all honesty, I don’t seriously believe that they’re the most dangerous form of movement or web tracking, but they can definitely be used to monitor more movements than a person should feel comfortable with.
What if there was a type of cookie that could:
- Stay on your computer for an unlimited amount of time
- Store 100 kb of data by default, with an unlimited max
- Couldn’t be deleted by your browser
- Send previous visit information and history, by default, without your permission
Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of can store a maximum of 4 kb of information, are manage by your browser, and by default have reasonable defaults and restrictions.
This type of cookie exists on 98% of global computers, across all operating systems. it’s the Adobe Flash Player.
The Adobe Flash Player maintains proprietary cookies called Local Shared Objects or LSO’s. LSO’s are capable of storing 100 kb’s of information for an indefinite amount of time by default. When you clear your browser history in Internet Explorer, Firefox or Opera on Windows, Linux, or OS X LSO’s are not cleared from Adobe’s local repository.
In fact, all the information in those cookies will remain indefinitely until they’re removed by the issuing website, or by you via a cumbersome and ridiculous process.
Unfortunately, I haven’t even explained the worst of it.
There’s no easy way to tell what sites are using flash cookies to track your movements. There’s no list, and there doesn’t have to be a flash GUI or visible application for flash cookies to be present. In fact, most websites using flash for user tracking don’t create GUI’s, toolbars, or applications that you can actually see in your browser while browsing the site.
Many times a tiny flash module, 2 kb in size or less is loaded into your browser on every page visit in the same way a gif, jpg or other image is. The whole purpose of this tiny, invisible flash module might be to simply record the page request, and your username or other session variables.
Alright, so now you’re sufficiently convinced that this is creepy stuff. Let’s talk about how to get rid of it?
Lame as it might be, the Flash Player has no ability to delete cookies. And as I’ve already said, your browser can’t help you out. It doesn’t even know these cookies exist! Most of the privacy settings for Adobe Flash have be accessed via a flash application on Adobe’s website called the Adobe Flash Player Settings Manager.
If you want to access the Settings Manager, you can do so here. In fact, open it up now and let’s take a look.
If you’ve clicked the link above, then you’re looking at the Flash Player Settings Manager, and a list of all the sites currently storing information on the cookies stored on your computer.
Looking at my list, I see over 100 websites that have been accessing the same cookie for the last year (the last time I formatted my computer). Some of them are storing only 1kb of information, some are storing the full 100 kb’s. On my own computer, I see that my bank is storing flash information despite the fact that there isn’t a single flash application visible when I log in to check my balance. I see Youtube, CNN, Microsoft, Rotten Tomatoes and a ton more!
To delete all the Flash Cookies currently being stored on your machine:
- Go to the Settings Manager (Website Storage Settings)
- Go to the far-right tab
- Click “Delete all sites”
To prevent websites from storing any more information on your computer:
- Go to Settings Manager
- Click the Second Tab from the left (Global Storage Settings)
- Set the Storage Settings slider to None
- Uncheck “Allow Third Party Flash Content to store data on your computer
There are several other “privacy” settings on the other tabs, but don’t be persuaded. Most of those privacy settings have to do with whether or not websites can access your microphone and webcam. There isn’t a single cookie option on any of the privacy tabs on the Settings Manager.
Adobe, as a global leader in browser technology (a 98% computer market share), has a responsibility to make Privacy Options easily accessible from within the Player application itself. They also have a responsibility to set reasonble default limitations. It’s ridiculous that they would enable websites to store cookies indefinitely, and in such large sizes.
Is Adobe intentionally allowing websites to abuse privacy? You tell me. Comments Welcome.
edit: changed Macromedia to Adobe. Sorry, I’m from the ‘ol days.
Increase your e-mail privacy: Anonymous E-mail Boxes with makemetheking.com
No doubt this can be abused and I don’t really have good solution for it, however this “large cookie” does serve a purpose and it has some great uses. You can use it as a mini database and cache locally on the client without making expensive service calls. Just like anything it can/will be abused by the people that want your info.
I really think Adobe should add the functionality to manage cookies directly from the Flash Player. I would even go a little further and say that when Flash is installed on a system, there should be Flash Privacy Settings management added to the browser’s privacy settings.
I’ve been involved with developing sites for oh, about 10 years now… this is the first i’ve seen of the Flash cookies nonsense. Just deleted a whole whack of them. I didn’t delete them through the flash utility though. If you have enough know-how you can hunt down the data in -application data- which is located in your user profile on most systems (microsoft stuff). If you can get that far, there is just tons and tons of this crap laying around. I believe they are called .sol files. Funny that extension, sounds a lot like s–t out of luck.
There’s no reason we should have to rely on Adobe to get rid of this nonsense. Totally unacceptable security risk. Which, I admit, I did not even know about until now. I have to start doing more development in Flash. This is crazy.
I’ve written a script to delete them on my mac
I’ve written a script to delete them on Mac Os X…
rm -r /Users/username/Library/Preferences/Macromedia/Flash\ Player/#SharedObjects//*
rm -r /Users/username/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/*
Hell I’ve been doing web development for 8 months now…
Using flash and worried about privacy? A and -A, anything follows. Worry about a lot more than little privacy.
On some OS, having folder with no ability to add anything in, rather than just rm …
Any graphics and privacy is the least of your worries.
funny though that the “setting manager” does not delete the stuff in the second row of Jims script
As a game developer I use them sometimes to store scoring information for a user. For instance in one game I’ve created I store the players best time for that level, the next time they play the level I show them their best time so they can try and beat it.
“by default” it enables average users to use nifty adobe player functionality. (my pizza store, by default now remembers me and the last time i was there! wicked!
You can also choose max disk space for these cookies, you can also easily delete them, and you can easily stop them from being saved.
I agree the access to this information isn’t “easy”. but this is far from being a security problem.
I had to go through just as much clicks to get to my firefox cookie, as to get to the flash cookies. They also store only information they request. Which in some casses means saved games files (for flash games), and even pre-loaded code so that loads are faster.
This article, with its hefty boldening of sentences, makes this out to be an OMG! situation, when it’s not. Just as firefox, by DEFAULT, enables cookies and javascript code. Why can’t flash? This panel can also be accessed when using almost ANY flash application, through the right click context menu. Seriously, this feels like very little investigation of comparison. American style scare-mongering at it’s finest IMHO.
It sucks that adobe would even track that info for something that does not even load a flash animation per say on the website you are going to, as well, if you have cross site scripting enabled, i can store a frame with this adobe, to access your cookie and view that information even if my website does not pop up any flash….I would say adobe should fix this yesterday, as I find this unacceptable.
“Store 100 kb of data by default, with an unlimited max” - Wrong. 100kb is the default max. If it needs more it need to ask you for permission.
“Couldn’t be deleted by your browser” - Your wording is trying to imply that one can’t download it. They can, as you’ve shown.
“Send previous visit information and history, by default, without your permission” - It *stores* information rather then sending it somewhere else. Also it’s not like every site will have access to all your data; they’re restricted to the website, like cookies.
Yes, there’s a migration from cookies to Flash SO - simply because many times it’s much easier to manage and less prone to injection by malicious JS code.
But most importantly, all in all, they work pretty much the same as cookies and this kind of subjective analysis isn’t doing anyone any favor. I see what you’re trying to do - trolls will be trolls when there’s something to be gained by clicks both from people who agree and from enraged apologists (and you have ads in this very website to feed). But in the future, if you’re in any way interested in doing an analysis on a piece of technology, leaving your bias outside would be great.
And why the hell are you referring to a company that ceased to exist years ago? Inform much?
@Method:
I see what you’re saying. While it is a bit of an ‘alarmist’ mentality, it is a form of privacy risk that is largely unknown to your average computer user.
In addition to that, the menu is hardly accessible. There are some seperate privacy screens available when you load most flash privacy applications, but viewing and clearing all LSO’s are only available from the Settings Manager.
Another reason to not compare this to firefox or other browser is that, most people don’t know to clear their flash cookies. They may think they’re going unidentified between websites because they’ve cleared their browser cookies, while Flash Player is waving around their previous browsing identity with a flag.
@ignorance_hater:
You’re right, they work pretty much the same as cookies. No arguments there, except for that they can contain much more data than your average cookie.
But it’s still a huge concern that while the privacy-protecting world is preaching ‘delete your cookies! delete your cookies!’ Adobe has made no effort to make their privacy options accessible, or even well known. That is a risk, and that does deserve an ‘alarmist’ mentality, if only to draw attention to the issue.
How about setting the size of the cookie to 0? This is equivalent to disabling the Flash Player cookies, or more exactly the shared local objects, like they are called by Adobe.
cleartext is the future
I just let Ben Edelman know about this. He tracks privacy policies and practices.
http://www.benedelman.org/
—–
Hi Ben,
I just spotted something You might want to pursue. Adobe Flash keeps cookies Your browser can’t delete… You can only control them through an applet on macromedia’s site served by adobe.
http://www.imasuper.com/66/technology/flash-cookies-the-silent-privacy-killer/
Excerpt:
What if there was a type of cookie that could:
* Stay on your computer for an unlimited amount of time
* Store 100 kb of data by default, with an unlimited max
* Couldn’t be deleted by your browser
* Send previous visit information and history, by default, without your permission
…
The Adobe Flash Player maintains proprietary cookies called Local Shared Objects or LSO’s. LSO’s are capable of storing 100 kb’s of information for an indefinite amount of time by default. When you clear your browser history in Internet Explorer, Firefox or Opera on Windows, Linux, or OS X LSO’s are not cleared from Adobe’s local repository.
In fact, all the information in those cookies will remain indefinitely until they’re removed by the issuing website, or by you via a cumbersome and ridiculous process.
—–
Maybe You can get them to include settings to throttle these in the player itself. Right now You have to go to this site to control them:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html
I appreciate the work You’re doing Ben. Thank You.
Best Regards
Dave Manchester
http://dredeyedick.wordpress.com
http://thewall.civiblog.org/rsf/nsa.html
http://thewall.civiblog.org/rsf/handbook.html
Mac users - need the Settings Manager at the click of a mouse? Open http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html in Safari and create a webclipping dashboard widget.
I found this a few months ago and was contemplating a write-up on it. Glad to see it here! While I won’t jump up and down in an alarmist panic, this is pretty serious.
These Flash cookies:
-can store more
-can do more
-have no NATIVE clearing function
-have been previously unknown to the general public (even most of the “geek” public)
Anyone can be taught how to delete browser cookies in whichever browser they use. Only a few of us would be comfortable manually deleting Flash cookies and fewer still would go through the effort.
The downside to setting it to always deny or setting the max to 0 is the hassle of configuring special exceptions for websites that need them. While this is true for browser cookies as well, at least there are a number of GUI utilities to choose from that do a fine job of making it easier. Jim’s script is a start, but it has neither a GUI and nor any selectivity. personally, I’m OK with that until we create a full utility so we can properly manage this gaping security hole. I think the best method is Tony’s idea of adding a ‘Flash Privacy Settings’ tab in the browser settings when Flash is installed. I doubt that will come from Adobe until/unless there is sufficient outcry for it.
And this invades your privacy how? A web site can store local data on your machine and access it next time, so what? Other sites cannot read this information, since the Flash Player’s “sandbox” won’t allow it. So at best a site can just track your movements during your visits to itself.
There’s countless other ways to do this that don’t involve cookies, flash, or JavaScript. A simple unique ID in the URL can be added and passed between pages on the site to track movement, and on the server they can store much more than a mere 100k worth of data tied to that ID.
BTW, you can access the “Settings Manager” by right clicking on any Flash object, choosing “Settings”, going to the “Privacy” tab, and clicking “Advanced…”. This takes you to Adobe’s site where the Settings Manager resides.
Not as hidden as it seems…
What is the problem here? Flash maintains some local information that the flash application loads in. You can only access the Local Shared Object if you are accessing the same domain, and have the correct ID. No information is sent to the server flash is a client side process. Any flash developer worth his salt would never save personal information in a Shared Object. This just sounds like alot of scare mongering by someone who doesn’t understand what this actually is.
A sampling of the 215+ Shared Object Files (SOL) I found on my system: http://www.youtube.com, http://www.xxx-motorsports.com, http://www.weather.com, http://www.time.com, newyork.mets.mlb.com, my.nbc.com, msnbcmedia.msn.com, mlb.mlb.com, dhd.discovery.com, detroit.tigers.mlb.com, dcc.godaddy.com, images.amazon.com, skype.com, http://www.fleetwoodrv.com, http://www.ferrariworld.com, http://www.flickr.com, http://www.reuters.com, http://www.nytimes.com, http://www.motorola.com, http://www.kawasaki.com, boston.redsox.mlb.com…
While I think awareness of these Shared Object Files (SOL) is important, I don’t believe they are as nefarious as one would think (YMMV ;-)) If you want to get a handle on .SOL files (Shared Object Files), check out http://solve.sourceforge.net/
Not only does it hand out free information to these companies, but it also slows down web surfing. These types of cookies have never been removed from my computer since I bought it (maybe two years ago). After I removed them, sites that used to take a few seconds to finish loading now load in under a second.
My advise: get rid of them unless you acutally use them.
so use real cookies:
http://scriptactionthree.blogspot.com/2008/09/using-real-http-cookies-in-flash-as3.html
This should work for Linux users: rm -rf ~/.macromedia
If you use online banking in the USA, chances are very good that your bank is using a Flash cookie as part of their multi-factor authentication requirement. It’s encrypted and is used to identify the computer to the bank after you first register. If you delete it, you’ll have to jump through other hoops to get to your account.
JJ
I’m a game developer. Flash’s shared objects are a documented and known feature. Quite often they are used to enhance the quality of the user’s experience by caching data locally. Flash implements a number of security sandboxes and has rules on how these objects are accessed. With Flash 9 and above these rules assist in keeping the usage of SO and other advanced Flash features kosher. Granted, malicious programmers could use these for bad stuff the same way a programmer can use http cookies.
I applaud your effort to inform users about potential risks, but I think a more balanced approach based on facts of how these shared objects are used would have been more useful.The core point here is that users are not fully aware of what software is running on their machines. They may be explicitly trusting applications/plugins that may represent some level of risk.
Flash is a powerful plugin that gives you many desirable features. Like any plugin, it also exposes some new risks. As an industry lets work together to understand the risks, educate each other, and find solutions that allow us to offer rich media experiences that are safe. Let’s not damn a useful technology due to potential risks. Instead let’s work together to define what is acceptable behavior and banish applications/plugins/sites that don’t play by the rules.
I found out about these cookies a while ago, when I wondered how Pandora.com manages to track users without using browser cookies. Thanks for reminding me of how to control them–but, of course, if I turn off Flash cookies, Pandora will stop working. It is pretty obvious where users rank in Adobe’s scheme of things.
This is extremely serious. In many countries it is illegal to visit pornographic web sites, even those which are not blocked by the government censors. So an innocent persion goes to http://www. a creepy pornographic website .com and criminal evidence remains forever on his hard disk.
How does this affect the promised Privacy Mode of IE and Firefox?
If anyone is planning a more detailed writeup I’d love to know more about these files.
What kind of information can be stored in these Shared Objects?
what are they good for?
How is the stored information retrieved?
How does the GUI work?
Is there a or privacy risk on shared or public computers?
What’s the worst they could do?
Maybe if these files were implemented in a more transparent way, and we all knew more about them they’d seem less threatening?
If you are worried about a third-party file on your system like these: CCleaner removes these by default with a lot of other crap, where it used to get its name from. http://www.ccleaner.com/
(No, I have no connection to them, other than liking their program and attitude.)
From what I can see using gnash of swfdec doesn’t store the cookies… (Linux). Despite the fact that Adobe is now available for Linux, I prefer to use gnash because it allows you to save videos and other content directly to your hard drive… excellent for YouTube. However, Gnash doesn’t do a good job at displaying content from a lot of sites… But privacy + saved videos? I’m for it! Not using Adobe’s flash player, contrary to above comments, does not interfere with my online banking at all.
Thanks for uncovering this very-well-kept secret!
These “cookies” get stored in individual folders for each website, and Adobe’s settings manager still leaves all the folders intact even while destroying their contents, and like tyes said, it doesn’t touch the sys folder. Lately I’ve had to periodically delete contents of both folders by hand because sound in flash programs gets garbled, and the only thing that seems to be helping is deleting these “cookies”.
With Firefox you can use the “BetterPrivacy” Add-on. Beside deactivating DOMstorage and “click-pinging” (don’t know, what it is), you can look at the *.sol files and delete them with the Add-on. The Add-on has a function for automatic deletion of the *.sol files, but that doesn’t work for me with Firefox 3.
Oh come on - this information is available since ages (I think it must be 4 or 5 years at least), no one is trying to hide anything or make this a secret.
Local Shared Object:
http://en.wikipedia.org/wiki/Local_Shared_Object
http://livedocs.adobe.com/flash/9.0/ActionScriptLangRefV3/flash/net/SharedObject.html
How to manage and disable Local Shared Objects:
http://kb.adobe.com/selfservice/viewContent.do?externalId=52697ee8&sliceId=1
Easy way to clear all flash cookies in Windows for either IE or Firefox. Put the following text into a batch file in your startup folder.
RMDIR “%APPDATA%\Macromedia” /S /Q
Wow. I’ve known about the settings option to clear flash cookies and have been doing so every now and then over the last couple of years. But just went to check the files left behind and was amazed at the amount of junk and number of sites listed. Glad I’ve got all these properly cleaned up before my next US border crossing
This article is somewhat funny. While it did indeed mention the prevention of the cookies and so on into your system, it forgot to mention that there’s a nifty utility called disk cleaner. Among the astonishing number of plug-in si thas this little program did not fail at all to delete everything my flash player had put into HardDrive\user-name\aplication ddata\macromedia\ and the like. It clears everything, including these flash player files. Just use google and find disk cleaner. Have been using it for many years now, I consider this to be my best friend. THe best thing? this is open source!
A load of old wank if you ask me. These Shared Object have been around for years, and have never been a secret. I use them all the time, and they are very well documented by Adobe. To delete them, right-click any flash movie, go to settings, and set you local storage to 0kb. Simple as that. Also these shared objects have no way of being read by any site other that the one which created them.
I’m not sure what makes you think they “Send previous visit information and history, by default, without your permission”.
I do agree that a browser should clear Flash cookies as part of its “clear History” process. didn’t FF 2 used to do this? FF3 doesn’t, but I remember FF2 had an option to “Clear files stored by add ons” (add ons meaning flash player)…
How can people be accusing Adobe of ‘trying to hide this secret’? I guess clearly documenting something == hiding?
Also, how the heck is it Adobe’s fault that your browser doesn’t clear these? Are you expecting Flash hack IE7 or Safari so the clear cookies button also clears the folder that shares local objects?
Shared Objects are stored in known locations and the browsers have nothing stoping them from clearing these locations.