ExpressVPN

Supercookies, Flash cookies, Zombie cookies and things that go bump in the night

We are seeing this arms race between consumers who want to declare their privacy preferences and companies that that have strong motivations to track users [for advertising and analytics].’ Ashkan Soltani, co-author of UC Berkeley report Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning


After years of awareness raising campaigns by privacy activists, which culminated this year in the European Union passing a ‘cookie law’ banning any EU company or any company targeting EU citizens from placing ‘non-essential’ cookies on users computes without their consent, most internet users are now know about cookies.

Unfortunately, most of what people know about cookies regards HTTP (or ‘normal’) cookies; small text files that are left in your browser’s cookie folder and that, in addition to doing lots of useful things such as remembering your passwords and favourite website preferences, can be used to identify you and track your movements across the World Wide Web.

Understandably concerned about the privacy issues involved, the internet-using public has fought back and taken increasing effective measures to block, delete or control cookies, assisted by the fact most modern browsers have added cookie management and blocking features.

Perhaps unsurprisingly, marketing and analytics companies have looked for ways to circumvent these measures, and to continue uniquely identifying and tracking internet users. A primary means of doing this has been through the use of supercookies.

What is a supercookie?

Supercookies is a catch-all term used to refer to bits code left on your computer that perform a similar function to cookies, but which are much more difficult to find and get rid of than regular cookies. The most common type of supercookie is the Flash cookie (also known as an LSO or Local Shared Object), although HTTP ETags and Web Storage also fall under the moniker. In 2009 a survey showed that more than half of all websites used Flash cookies.

The reason that you may never have heard of supercookies, and reason they are so hard to find and get rid of, is that their deployment is deliberately sneaky and designed to evade detection and deletion. This means that most people who think they have cleared their computers of tracking objects have likely not.

The EU ‘cookie law’ does encompass supercookies within its generic description, but as the law has been very vaguely worded about what constitutes a ‘bad’ cookie, and has been poorly enforced anyway (not to mention that most sites demand you accept their use of cookies if you wish to continue using them), its effectiveness at curbing supercookie use (or even regular HHTP cookie use other than by raising peoples awareness of the issue) has been minimal at best.

Apple’s stand against Flash’s various insecurities however, has helped contribute to  Flash Player’s growing obsolescence, with HTML5 increasingly fulfilling the functions once more commonly performed by Flash. Combined with support for LSA deletion by the major browsers, this has led to a decline in the use of Flash cookies, although they remain a substantial menace to internet users worried about tracking.

Flash Cookies and Zombie Cookies

The most common kind of supercookie is a Flash cookie, which uses Adobe’s multimedia Flash plugin to hide cookies on your computer that cannot be accessed or controlled using your browser’s privacy controls (at least traditionally, most major browsers now include deletion of Flash cookies as part of their cookie management).

Because these cookies are stored outside the browser you cannot protect yourself by using a different browser (for example one for your banking website and another for riskier web surfing), as the Flash cookies will be available to all browsers (i.e. a cookie acquired when using Chrome will also be available to websites when using Firefox). In addition to this, Flash cookies can hold up to 100kb rather than just the 4kb held by HTTP cookies.

One of the most notorious (and freaky!) kinds of Flash cookie is the ‘zombie cookie’, a piece of Flash code that will regenerate normal HTTP cookies whenever they are deleted from a browser’ cookie folder.

How to deal with Flash cookies

Change your Flash preferences

This is always worth doing, although some LSOs seem adept at evading the preferences settings.

1. To remove existing site cookies go to the Adobe Website Storage Settings Panel, where will you see a list of Flash cookies on your computer. If you recognise any of the websites in the list and visit them regularly then you may want to keep their cookies as they can provide useful functionality, but you can delete the others.

flash 1

2. To prevent new sites from writing cookies, go to the Adobe Global Storage Settings Panel (or just click on the Global Storage Settings tab in the Settings Manager), drag the slider to ‘None’, and click ‘Never Ask Again’. Note that doing this may create problems with websites that rely on Flash functionality.

flash 2

Manually delete Flash cookies This is also a good way to check that other methods have worked properly.

  • In Windows open an Explorer window and type ‘%appdata%’ into the search bar. Double-click Macromedia -> Flash Player -> macromedia.com -> support’ -> flashplayer -> sys (we told you they were hidden away!). Any folders you see (which should contain a .sol file, which is the actual cookie) can be deleted.
  • In OSX try going to Users -> username -> Library -> Preferences -> Macromedia -> Flash Player-> and look for any .sol files in the folders
  • In Linux go to home -> username/ .macromedia -> Flash_Player -> macromedia.com -> support -> flashplayer -> sys, or run the command ‘find ~/.macromedia/ -type f -name settings.sol -exec rm -v {} \;

Use CCleaner to automatically delete Flash cookies

CCleaner, now available for Windows and OSX, is a great tool for clearing the rubbish out of your system, but by default it does not clear out Flash cookies. This however can be changed in Windows 7 and Vista by:

1. Opening CCleaner, then navigating to Options -> Include -> Add:

C:\ -> Users -> User name -> AppData -> Roaming > Macromedia > Flash Player -> #SharedObjects and

C:\ ->Users -> User name -> AppData -> Roaming -> Macromedia -> Flash Player > macromedia.com -> support -> flashplayer -> sys

ccleaner 1

2. Then go to ‘Exclude’ and ‘Add’: C:\ -> Users -> User name -> AppData -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support ->  flashplayer -> sys -> settings.sol

Windows XP users should:

1. Include: C\: -> Documents and Settings -> User name -> Application Data -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support ->  flashplayer -> sys and C -> Documents and Settings -> User name -> Application Data -> Roaming -> Macromedia -> Flash Player -> #SharedObjects

2. Exclude: C\: -> Documents and Settings -> User name -> Application Data -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support ->  flashplayer -> sys -> settings.sol

While OSX users should:

1. Include: Users -> username -> Library -> Preferences -> Macromedia -> Flash Player

2. Exclude: Users -> username -> Library -> Preferences -> Macromedia -> Flash Player-> settings.sol

(Please note that we have not had the opportunity to test this out in OSX, but it should work).

Use a dedicated Flash cookie cleaner utility

Examples include GrekSoft Flash Cookie Remover (Windows) and FlushFlash (Windows and OSX).

flushflash
Flush Flash for Mac

Use Google Chrome or Internet Explorer to delete Flash Cookies

Modern versions of Chrome, Internet Explorer (IE8+), and Firefox work with Flash Player 10.3+ to automatically delete Flash cookies, using the browsers’ built-in Clear History functions. While we applaud this move, which uses the NPAPI ClearSiteData API, it is not perfectly implemented and we and we found LSOs on our system after using it.

Block Flash cookies in Android

Apple led the charge when it came to making a stand against Flash, and iOS users do not have to worry about LSOs, although they do miss out on the functionality provided by Flash. Android 4.1 also dropped support for Flash, although older devices may still have it installed, and those who value the fact that much of the web still relies on Flash can still manually sideload the .apk. If you do have Flash installed then you will be able to find an icon for ‘Flash Player settings’ in the app drawer. To turn off Flash cookies, go to ‘Local Storage’ and select ‘Never’.

 android

Use browser plugins

A number of browser plugins exist which can block or manage Flash cookies, the best examples of which are Better Privacy, Ghostery, and Disconnect. Unfortunately using these plugins increases the uniqueness of you browser and therefore makes you more vulnerable to Fingerprinting, so we do not recommend them.

Conclusion

Flash cookies are insidious things, but growing general awareness of cookies, decreasing use of Flash, and support from the major browsers for the NPAPI ClearSiteData API, means that their threat has diminished somewhat. Unfortunately this also means that in the ongoing arms war waged against the internet-using public by unscrupulous marketing and analytics firms, new techniques are being developed and deployed to identify individuals and track them across the web (and otherwise perform functions similar to traditional cookies).

The most alarming and prevalent of these is browser fingerprinting, which we discuss in detail here, but other forms of supercookie (HTTP ETags and Web Storage) and ‘history stealing’ (also very scary)  are also deployed, which we discuss in another article, More things that go bump in the night.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


One response to “Supercookies, Flash cookies, Zombie cookies and things that go bump in the night

  1. I know. Of course the end will be destruction and panic and
    mistrust. I have horror stories vidios and documentation . Being bought and sold like a cheap piece of goods is shameful to say the least . At this point trust NO one . Sincerely… Victor Franklin.

Leave a Reply

Your email address will not be published. Required fields are marked *