Flash Cookies: The Silent Privacy Killer

Oct 092008

Related article December 13th, 2010 – Facebook: The real privacy killer
Update March 1st, 2010 – Chrome adds links to clear ‘adobe cookies’

There are hundreds of applications out there from spyware cleaners to built-in browser features that eliminate cookies on the spot, and even let you set cookie policies on your computer regarding what can be stored in your machine, and for how long.

I’m assuming that if you’re here reading this post, you already know all of the dangers of cookies on your computer. In all honesty, I don’t seriously believe that they’re the most dangerous form of movement or web tracking, but they can definitely be used to monitor more movements than a person should feel comfortable with.

What if there was a type of cookie that could:

Stay on your computer for an unlimited amount of time
Store 100 kb of data by default, with an unlimited max
Couldn’t be deleted by your browser
Send previous visit information and history, by default, without your permission

Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of can store a maximum of 4 kb of information, are manage by your browser, and by default have reasonable defaults and restrictions.

This type of cookie exists on 98% of global computers, across all operating systems. it’s the Adobe Flash Player.

The Adobe Flash Player maintains proprietary cookies called Local Shared Objects or LSO‘s. LSO’s are capable of storing 100 kb’s of information for an indefinite amount of time by default. When you clear your browser history in Internet Explorer, Firefox or Opera on Windows, Linux, or OS X LSO’s are not cleared from Adobe’s local repository.

In fact, all the information in those cookies will remain indefinitely until they’re removed by the issuing website, or by you via a cumbersome and ridiculous process.

Unfortunately, I haven’t even explained the worst of it.

There’s no easy way to tell what sites are using flash cookies to track your movements. There’s no list, and there doesn’t have to be a flash GUI or visible application for flash cookies to be present. In fact, most websites using flash for user tracking don’t create GUI’s, toolbars, or applications that you can actually see in your browser while browsing the site.

Many times a tiny flash module, 2 kb in size or less is loaded into your browser on every page visit in the same way a gif, jpg or other image is. The whole purpose of this tiny, invisible flash module might be to simply record the page request, and your username or other session variables.

Alright, so now you’re sufficiently convinced that this is creepy stuff. Let’s talk about how to get rid of it?

Lame as it might be, the Flash Player has no ability to delete cookies. And as I’ve already said, your browser can’t help you out. It doesn’t even know these cookies exist! Most of the privacy settings for Adobe Flash have be accessed via a flash application on Adobe’s website called the Adobe Flash Player Settings Manager.

If you want to access the Settings Manager, you can do so here. In fact, open it up now and let’s take a look.

If you’ve clicked the link above, then you’re looking at the Flash Player Settings Manager, and a list of all the sites currently storing information on the cookies stored on your computer.

Looking at my list, I see over 100 websites that have been accessing the same cookie for the last year (the last time I formatted my computer). Some of them are storing only 1kb of information, some are storing the full 100 kb’s. On my own computer, I see that my bank is storing flash information despite the fact that there isn’t a single flash application visible when I log in to check my balance. I see Youtube, CNN, Microsoft, Rotten Tomatoes and a ton more!

To delete all the Flash Cookies currently being stored on your machine:

Go to the Settings Manager (Website Storage Settings)
Go to the far-right tab
Click “Delete all sites”

To prevent websites from storing any more information on your computer:

Go to Settings Manager
Click the Second Tab from the left (Global Storage Settings)
Set the Storage Settings slider to None
Uncheck “Allow Third Party Flash Content to store data on your computer

There are several other “privacy” settings on the other tabs, but don’t be persuaded. Most of those privacy settings have to do with whether or not websites can access your microphone and webcam. There isn’t a single cookie option on any of the privacy tabs on the Settings Manager.

Adobe, as a global leader in browser technology (a 98% computer market share), has a responsibility to make Privacy Options easily accessible from within the Player application itself. They also have a responsibility to set reasonble default limitations. It’s ridiculous that they would enable websites to store cookies indefinitely, and in such large sizes.

Is Adobe intentionally allowing websites to abuse privacy? You tell me. Comments Welcome.

edit: changed Macromedia to Adobe. Sorry, I’m from the ‘ol days.

Increase your e-mail privacy: Anonymous E-mail Boxes with makemetheking.com

Pingback: DuckDuckGo.Com « Ang's Web-log
Pingback: Can we we stop using google and youtube as boycott pls? - Page 4
http://free-hosting-usa.com/ Goorolara

r d gomez travel humidor travel trailers for sale in louisiana canada travel tourism per diem travel nurses hawaii traveling occupational therapist jobs travel agency plymouth mn travel maps myspace dumfries top rated restaurants travel guide travel coditions thailand tour travel forum travelpro xtreme lite luggage eastern europe travel forums travelling salesman solution longwood travel israel ultimate choice travel scam

wyckoff travel and cruises mahwah [url=http://rifffeed.free-hosting-usa.com/12/train-travel-to-scotland.php]train travel to scotland[/url] kamdhenu travels bangalore [url=http://nbird.free-hosting-usa.com/13/advice-destination-travel-20.php]advice destination travel 20[/url] government travel expense british columbia [url=http://pixozzy.free-hosting-usa.com/2/dfw-travel-guide.php]dfw travel guide[/url] caa travel waterloo [url=http://placero.free-hosting-usa.com/4/travel-to-toronto.php]travel to toronto[/url] marco travel providenciales [url=http://skippulse.free-hosting-usa.com/3/travelite-v-8-24x25cf.php]travelite v 8-24x25cf[/url]

travel service ireland back packing travel list what is a travel agent all weather travel trailers wikitravel english travel somolia travel humidor uk travel companions in chicago travel advisor hotel reviews travel money comparison

travel inn royal mile edinburgh [url=http://dynavu.free-hosting-usa.com/4/alaska-travel-rental.php]alaska travel rental[/url] premier travel lodges uk [url=http://eizio.free-hosting-usa.com/1/travel-agency-in-haridwar.php]travel agency in haridwar[/url] travel guides savannah [url=http://podblab.free-hosting-usa.com/14/airtravel-grand-rapids-michigan.php]airtravel grand rapids michigan[/url] rockwood travel trailer 8315bss [url=http://voogen.free-hosting-usa.com/4/travel-and-leisure-colorado.php]travel and leisure colorado[/url] olympic travel group [url=http://dazzlebridge.free-hosting-usa.com/13/travel-channel-cruises.php]travel channel cruises[/url]

travel bulletin australia how do i become a travel writer automobile travel southern europe merit travel group toronto travelers claim online
KD

Well – I regularly go into my Mac’s Safari ‘Preferences’ panel and clear out the hundreds of cookies only to go back in 30 secs later (when I haven’t visited any websites) to find a hundred cookies still on the computer . . . so much for that control!
Why put the option of ‘delete all cookies’ in a pop-up window when it doesn’t delete them at all???!!!
liam

All you need to do it clear the flash history and cookies…go to control panel…type java into the search box…click java….under temperary internet files click settings…then delete all files…..

These are not cleared by the browser…

After you do this some java enable apps may download new info when you run them…
- Anonymous
  
  Not java, ontrol Panel > Flash >
  There are settings for local storage and for web-camera if you have one.
  These are not persistent though as you have to go in often to clear them or use third party software to manage them.
http://e Nenita Tsui

Hello, you used to write excellent, but the last several posts have been kinda boring… I miss your great writings. Past few posts are just a little out of track! come on!”The smaller the understanding of the situation, the more pretentious the form of expression.” by John Romano.
- I’m a Super .com
  
  I’ll see what I can do. Thanks for the comments.
swifty

thanks bunches!
a buddy in tech biz just directed me to this page.
i’ve been keeping an eye out for info of this nature since the news items on FB and Googles data mining surfaced a few weeks back,
Keep Up the Good Work!
Pingback: 最大化保护您的隐私，各种扩展介绍！ | Target CN ( Target China )
Pingback: Protect your Privacy | Fallen Angel Gabriel
billy

good advice
yoursurprise-bellatio-4

Hello! I’m at work surfing around your blog from my new iphone 4! Just wanted to say I love reading through your blog and look forward to all your posts! Keep up the superb work!
Pingback: Flash Cookies: The Silent Privacy Killer - Sports Handicapping Forum
Mike

What a bunch of crybabies and fearmongers. What is really the most that can be done through the Flash LSO? Are you afraid that your wives will somehow find your saved preferences from all of the porn video sites you’re visiting?
- Rob
  
  http://donttrack.us/
  
  They can do a lot. For example, how about being used to build a profile on you for health and life insurance based on the Fan pages you visit on Facebook?
  
  http://online.wsj.com/article/SB10001424052748704648604575620750998072986.html
  
  Just because you lack the imagination to perceive the threat doesn’t mean it doesn’t exist.
- Anonymous
  
  That is just good enough reason – are you a dopehead or you pretend?
any mous

I always thought Adobe was far more vulnerable to attacks than even MicroSoft. Maybe it was their buggy software…

Now it turns out that Adobe was not only vulnerable, they are in the middle of creating this monster.

It is obvious they don’t give a damn about anyone’s privacy, and likely never did.

What a bunch of turds.
- kene
  
  Microsoft does not have a capital S in the middle.
- smarty
  
  kene is absolutely right here!
  apparently they should be spelled with a capital $
Pingback: Manage Adobe Local Shared Objects Super Cookies Zombie Cookies
http://www.PolicyPak.com Jeremy Moskowitz

IT Pros have the ability to solve the Supercookies problem on their business PCs. Quick how-to video from PolicyPak: tinyurl.com/3dxu32a
Pingback: Flash Cookies: The Silent Privacy Killer | I’m A Super.com « seekingtiffani
GS

Wow,
Thanks for the info. I downloaded Mac Lion and kept seeing cookies come back instantly as soon as I started surfing, even though I would set all the security settings to high and always block cookies.
dan

I’ve always known how to delete cookies, I came here looking for a way to not fing delete them, I play flash games a lot and I keep losing my fing progress, that’s really lame, I want to have control of my damn cookies as I had before 10.3 fuck it
Anonymous

In Linux, just add “rm -rf ~/.macromedia/Flash_Player ~/.adobe/Flash_Player” to ~/.bashrc or your Crontab. That way, all Flash cookies and settings are erased frequently. If you just want to erase the cookies, and not Flash settings, you need a more detailed “rm” call. For historical reason, some Flash things are stored in ~/.macromedia whereas other things are stored in ~/.adobe.

In Mac OS X and Windows, add appropriate “rm -rf” and “del /y/s” calls to the appropriate places.

Share this on: