ExpressVPN

Supercookies, Flash cookies, Zombie cookies and things that go bump in the night

We are seeing this arms race between consumers who want to declare their privacy preferences and companies that that have strong motivations to track users [for advertising and analytics].’ Ashkan Soltani, co-author of UC Berkeley report Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning

After years of awareness raising campaigns by privacy activists, which culminated this year in the European Union passing a ‘cookie law’ banning any EU company or any company targeting EU citizens from placing ‘non-essential’ cookies on users computes without their consent, most internet users are now know about cookies.

Unfortunately, most of what people know about cookies regards HTTP (or ‘normal’) cookies; small text files that are left in your browser’s cookie folder and that, in addition to doing lots of useful things such as remembering your passwords and favourite website preferences, can be used to identify you and track your movements across the World Wide Web.

Understandably concerned about the privacy issues involved, the internet-using public has fought back and taken increasing effective measures to block, delete or control cookies, assisted by the fact most modern browsers have added cookie management and blocking features.

Perhaps unsurprisingly, marketing and analytics companies have looked for ways to circumvent these measures, and to continue uniquely identifying and tracking internet users. A primary means of doing this has been through the use of supercookies.

What is a supercookie?

Supercookies is a catch-all term used to refer to bits code left on your computer that perform a similar function to cookies, but which are much more difficult to find and get rid of than regular cookies. The most common type of supercookie is the Flash cookie (also known as an LSO or Local Shared Object), although HTTP ETags and Web Storage also fall under the moniker. In 2009 a survey showed that more than half of all websites used Flash cookies.

The reason that you may never have heard of supercookies, and reason they are so hard to find and get rid of, is that their deployment is deliberately sneaky and designed to evade detection and deletion. This means that most people who think they have cleared their computers of tracking objects have likely not.

The EU ‘cookie law’ does encompass supercookies within its generic description, but as the law has been very vaguely worded about what constitutes a ‘bad’ cookie, and has been poorly enforced anyway (not to mention that most sites demand you accept their use of cookies if you wish to continue using them), its effectiveness at curbing supercookie use (or even regular HHTP cookie use other than by raising peoples awareness of the issue) has been minimal at best.

Apple’s stand against Flash’s various insecurities however, has helped contribute to  Flash Player’s growing obsolescence, with HTML5 increasingly fulfilling the functions once more commonly performed by Flash. Combined with support for LSA deletion by the major browsers, this has led to a decline in the use of Flash cookies, although they remain a substantial menace to internet users worried about tracking.

Flash Cookies and Zombie Cookies

The most common kind of supercookie is a Flash cookie, which uses Adobe’s multimedia Flash plugin to hide cookies on your computer that cannot be accessed or controlled using your browser’s privacy controls (at least traditionally, most major browsers now include deletion of Flash cookies as part of their cookie management).

Because these cookies are stored outside the browser you cannot protect yourself by using a different browser (for example one for your banking website and another for riskier web surfing), as the Flash cookies will be available to all browsers (i.e. a cookie acquired when using Chrome will also be available to websites when using Firefox). In addition to this, Flash cookies can hold up to 100kb rather than just the 4kb held by HTTP cookies.

One of the most notorious (and freaky!) kinds of Flash cookie is the ‘zombie cookie’, a piece of Flash code that will regenerate normal HTTP cookies whenever they are deleted from a browser’ cookie folder.

How to deal with Flash cookies

Change your Flash preferences

This is always worth doing, although some LSOs seem adept at evading the preferences settings.

1. To remove existing site cookies go to the Adobe Website Storage Settings Panel, where will you see a list of Flash cookies on your computer. If you recognise any of the websites in the list and visit them regularly then you may want to keep their cookies as they can provide useful functionality, but you can delete the others.

flash 1

2. To prevent new sites from writing cookies, go to the Adobe Global Storage Settings Panel (or just click on the Global Storage Settings tab in the Settings Manager), drag the slider to ‘None’, and click ‘Never Ask Again’. Note that doing this may create problems with websites that rely on Flash functionality.

flash 2

Manually delete Flash cookies This is also a good way to check that other methods have worked properly.

  • In Windows open an Explorer window and type ‘%appdata%’ into the search bar. Double-click Macromedia -> Flash Player -> macromedia.com -> support’ -> flashplayer -> sys (we told you they were hidden away!). Any folders you see (which should contain a .sol file, which is the actual cookie) can be deleted.
  • In OSX try going to Users -> username -> Library -> Preferences -> Macromedia -> Flash Player-> and look for any .sol files in the folders
  • In Linux go to home -> username/ .macromedia -> Flash_Player -> macromedia.com -> support -> flashplayer -> sys, or run the command ‘find ~/.macromedia/ -type f -name settings.sol -exec rm -v {} \;

Use CCleaner to automatically delete Flash cookies

CCleaner, now available for Windows and OSX, is a great tool for clearing the rubbish out of your system, but by default it does not clear out Flash cookies. This however can be changed in Windows 7 and Vista by:

1. Opening CCleaner, then navigating to Options -> Include -> Add:

C:\ -> Users -> User name -> AppData -> Roaming > Macromedia > Flash Player -> #SharedObjects and

C:\ ->Users -> User name -> AppData -> Roaming -> Macromedia -> Flash Player > macromedia.com -> support -> flashplayer -> sys

ccleaner 1

2. Then go to ‘Exclude’ and ‘Add’: C:\ -> Users -> User name -> AppData -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support ->  flashplayer -> sys -> settings.sol

Windows XP users should:

1. Include: C\: -> Documents and Settings -> User name -> Application Data -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support ->  flashplayer -> sys and C -> Documents and Settings -> User name -> Application Data -> Roaming -> Macromedia -> Flash Player -> #SharedObjects

2. Exclude: C\: -> Documents and Settings -> User name -> Application Data -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support ->  flashplayer -> sys -> settings.sol

While OSX users should:

1. Include: Users -> username -> Library -> Preferences -> Macromedia -> Flash Player

2. Exclude: Users -> username -> Library -> Preferences -> Macromedia -> Flash Player-> settings.sol

(Please note that we have not had the opportunity to test this out in OSX, but it should work).

Use a dedicated Flash cookie cleaner utility

Examples include GrekSoft Flash Cookie Remover (Windows) and FlushFlash (Windows and OSX).

flushflash
Flush Flash for Mac

Use Google Chrome or Internet Explorer to delete Flash Cookies

Modern versions of Chrome, Internet Explorer (IE8+), and Firefox work with Flash Player 10.3+ to automatically delete Flash cookies, using the browsers’ built-in Clear History functions. While we applaud this move, which uses the NPAPI ClearSiteData API, it is not perfectly implemented and we and we found LSOs on our system after using it.

Block Flash cookies in Android

Apple led the charge when it came to making a stand against Flash, and iOS users do not have to worry about LSOs, although they do miss out on the functionality provided by Flash. Android 4.1 also dropped support for Flash, although older devices may still have it installed, and those who value the fact that much of the web still relies on Flash can still manually sideload the .apk. If you do have Flash installed then you will be able to find an icon for ‘Flash Player settings’ in the app drawer. To turn off Flash cookies, go to ‘Local Storage’ and select ‘Never’.

 android

Use browser plugins

A number of browser plugins exist which can block or manage Flash cookies, the best examples of which are Better Privacy, Ghostery, and Disconnect. Unfortunately using these plugins increases the uniqueness of you browser and therefore makes you more vulnerable to Fingerprinting, so we do not recommend them.

Conclusion

Flash cookies are insidious things, but growing general awareness of cookies, decreasing use of Flash, and support from the major browsers for the NPAPI ClearSiteData API, means that their threat has diminished somewhat. Unfortunately this also means that in the ongoing arms war waged against the internet-using public by unscrupulous marketing and analytics firms, new techniques are being developed and deployed to identify individuals and track them across the web (and otherwise perform functions similar to traditional cookies).

The most alarming and prevalent of these is browser fingerprinting, which we discuss in detail here, but other forms of supercookie (HTTP ETags and Web Storage) and ‘history stealing’ (also very scary)  are also deployed, which we discuss in another article, More things that go bump in the night.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

Related Coverage


9 responses to “Supercookies, Flash cookies, Zombie cookies and things that go bump in the night

  1. apple have been harasing me through some actors and the WWW Foundation Joseph Levit on some Matrix virtual reality shit that has caused me to have a nerves breakdown, neighbours were contacted to participate, shouting from their home what im doing on my computer, its wrecked 4 years of my life, this is my f* private computer Tim Cook has no business installing spyware on my OSX nor his staff, IBM have a new neuro sensor system where the browser reads your mind, unless this is a satelite doing this that makes no sense. All I know is that the extreme cyberharasment which the NSA could do has wrecked my life I have nothing left, they have wrecked everything in my life

    1. Hi Zoe,

      What you are describing is not rational, and I’m sorry to say it, but you are expressing symptoms of deep paranoia. If you haven’t done it for while, I suggest you go to bed and get some sleep. If this is an ongoing situation, then please (and I mean this sincerely) seek professional help. Peace.

  2. Quick question:
    2. Then go to ‘Exclude’ and ‘Add’: C:\ -> Users -> User name -> AppData -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support -> flashplayer -> sys -> settings.sol” Can you please tell me why should we exclude this ? I thought we’re supposed to delete this ? Thank you

    1. Hi Jacob,

      We want to exclude settings.sol because we do not want CCleaner to delete the Flash preferences we just changed in the section above.

      1. Thank you for your quick reply! I’d like to tell you some details about my problem hoping u may have some solutions. I’m playing on bet365 from a country that the site does not store any cookies (or at least ghostery or adblock does not detect any) yet each time I am using another account (limitations come quick) I get busted. I have used firefox with ‘random agent spoofer’, disabled webrtc, changed my mac address each time, the IP as well, cookies, and now I also added those flash directories to my ccleaner. Is there anything left that I could try or be aware of? Thank you once again.

        1. Hi Jacob,

          I assume that you are using a VPN to hide your IP address? Of course, bet356 could then just ban all VPN users (much like Netflix tries to). It is possible that bet365 is using fingerprinting techniques to identify you, in which case the more you modify your browser the more unique your fingerprint will be (random agent spoofer can potentially be useful in this regard, but its effectiveness is debatable).

  3. Hi Douglas, great article!

    I was wondering if you clarify something for me. When you say “a piece of Flash code that will regenerate normal HTTP cookies whenever they are deleted from a browser’ cookie folder”, what do you mean exactly? That an ID is included in the flash cookie, and the site now can learn what user it is, and give him back some of the old cookies? Or do the flash cookies literally store all the cookie data within them and just re-create them from that?

    That might be worded poorly, so let me try and give you an example of what I mean..

    Youtube used to store a cookie called recently_watched_video_id_list locally. It had the ids of recently watched videos for signed out users (it created that list in the history section) They track that info on servers now, but back then I believe it was just in the cookie for signed out users..

    Was it possible that this cookie was being re-created due to zombie cookies? I feel like the answer would be no if that cookie was stored locally. Not to mention people would probably notice if they cleared history and cookies etc and come back the next day to see them back. Just curious what you think about this scenario.

    Thanks and keep up the great work!

    1. Hi Annie,

      In most cases the Flash script will simply recreate a basic cookie. This will just have a simple ID number that can be externally tracked (so the Flash script will not recreate all data stored on a deleted cookie). But could it? Probably.

  4. I know. Of course the end will be destruction and panic and
    mistrust. I have horror stories vidios and documentation . Being bought and sold like a cheap piece of goods is shameful to say the least . At this point trust NO one . Sincerely… Victor Franklin.

Leave a Reply

Your email address will not be published. Required fields are marked *