Welcome, Guest. Please login or register.

ShoutBox!

 

Skhilled

2024-08-09, 18:19:29
Awww! Poor thing! LOL
 

Ken

2024-08-09, 09:20:52
 

Skhilled

2024-07-06, 10:33:18
 :D
 

Ken

2024-07-06, 06:40:47
Happy Saturday after the 4th of July!
 :fireworks:
 

Skhilled

2024-07-04, 20:27:02
Happy Day Off From Work!  :D
 

Ken

2024-06-25, 06:23:12
84... who knew?  laughing7
...2013 was my *magic* year
 

Skhilled

2024-06-14, 22:09:12
I hope so! LOL
 

Ken

2024-06-14, 21:41:30
My B-Day is forthcoming and maybe it will be far enough along so that I can be a regular Dancing Fool for that day!!! :banana: :2funny:
 

Ken

2024-06-14, 21:38:38
Happy Friday everyone! I'm  SOOO glad to see Friday and not just because it's the weekend, but because it marks one more day in the recovery of my foot!  laughing7

Scrubmeister

2024-04-19, 10:32:40
Good to see the site back faster than ever. :)

Recent Topics

TP Articles


Search in titles
Search in article texts

Author Topic: The Undeletable Cookie: Flash Cookies  (Read 2765 times)

0 Members and 1 Guest are viewing this topic.

Offline Skhilled (OP)

  • Administrator
  • *
  • Posts: 9424
  • Gender: Male
  • All of my passwords are protected by amnesia...
  • View Gallery
    • Buildz Hosting
The Undeletable Cookie: Flash Cookies
« on: August 07, 2010, 03:16:21 AM »
Here's an except from an article about Flash cookies:

Quote
Eliminate Flash-spawned 'zombie' cookies
By Woody Leonhard

Way back in a 2008 column, I spotlighted one of the most insidious and least-known features on the Internet: Adobe Flash cookies that were not subject to the usual cookie rules.

Almost two years later, these special Flash cookies are still living in our PCs, and enterprising privacy-busters now use them to create zombie cookies ? regular cookies that come back from the dead.

My Oct. 23, 2008, column, "Flash cookies are putting your privacy at risk," described how data stored by Adobe's Flash Player is beyond your browser's control and how it could store more personal data than you'd suspect.

Flash cookies have now landed their manipulators in troubled waters. Last week, two well-known privacy attorneys, Dallas-based Joseph Malley and California-based David Parisi, filed a lawsuit in U.S. District Court for the Central District of California against Quantcast, a Web page?ranking and audience-statistics firm. (A July 27 Wired Threat Level story on the lawsuit includes a link to a PDF copy of the filed court documents.)

The lawsuit claims class action status and lists additional defendants ? a Who's Who of online players including MySpace, ABC, ESPN, Hulu, JibJab, MTV, NBC Universal, and Scribd.

In the class action complaint, Quantcast "and websites affiliated individually with Quantcast, referred collectively to as, 'Quantcast Flash Cookie Affiliates,'" are accused of "setting [F]lash cookies on their user's computers to use as local storage within the [F]lash media player to back up browser cookies for the purposes of restoring them later."

The complaint goes on to accuse the defendants of setting online tracking devices that let them access and disclose personal information. But while the complaint is complex, the technology that spawned it is surprisingly straightforward.

Flash cookies are the all-pervasive app

In order to understand zombie cookies (yes, that's the technical name), you need to know about Flash's Local Shared Objects, or LSOs ? the formal name for Flash cookies. My 2008 column goes into detail about LSOs, but the upshot is this: Adobe Flash Player LSOs work much like the cookies maintained by our browsers ? they are files that live in our computers and are updated and read by Web pages that we visit.

Since Flash Player runs on more computers than even Windows (!), Flash Cookies are as close to universal as anything on the Internet. Steve Jobs won't let Flash run on iPads and iPhones, but for just about everything else, there's a version of Flash.

Like standard cookies, LSOs usually fly under the radar. But they can store significantly more data than the usual cookie. Regular old browser cookies are limited to 4KB in size; LSOs can go up to 100KB. Regular cookies are completely controlled by your browser ? you can use your browser to turn them on or off, to delete them, to block them. Not so LSOs. They are controlled by Adobe's Flash Player, and it's notoriously difficult to get at them.

While you may not have easy access to Flash LSOs, Web sites do. If you have Adobe Flash installed on your computer, Web pages can set and read Flash cookies ? whether the page you're viewing has a visible Flash animation or not. So while you think you've blocked a site's cookies, it's entirely possible for the site to use an LSO for the same purpose.

And it's all hidden under the covers and difficult to turn off unless you run a Flash Cookie blocker (more about which later) or jump through some major hoops.

Cookies that return from the cookie-crusher

Most PC users know the basics of Web cookies. Most have their computers set up to block cookies, block third-party cookies, or delete all cookies when they end a browsing session. It's all based on your level of paranoia. You may have a spyware scanner that looks for and deletes various types of cookies, particularly from marketing companies such as Doubleclick. Even those of us who allow cookies free rein still delete them from time to time, if only to clear out the cobwebs.

Here's how zombie cookies reappear.

When you visit Web sites, they often plant cookies on your computer, if they can. But some sites will also stick duplicate cookies into the Flash LSO. When you go back to these sites, they check whether you have their standard cookies stored in your browser. If none are found, they then check whether there's any doppelg?nger cookies in the Flash LSO. And if they find any, the sites reconstruct their original cookies and stick them back into your PC. Very clever.

Zombie cookies are scary because they provide online companies with a secret way to keep tabs on people and their Web-surfing proclivities. Unless you check your browser's list of cookies regularly, you may never know that these resurrected tracking cookies are back in business.

Where companies like Quantcast come into play

Data-gathering companies such as Quantcast make money selling information about people who visit web sites. According to Quantcast's own site, "Millions of Web site owners, including two-thirds of the Online Publisher's Association, use Quantcast's measurement service to create demographic, geographic, and affinity-based audience profiles." And the cookies placed on your PC can be used as sophisticated monitoring tools.

Curious about what's gathered? You can take a free ride with the Quantcast demo.

I ran a Quantcast analysis for U.S.-based visitors to our site, windowssecrets.com, in May of this year. The results appear in Figure 1. You should take the results with a grain of salt, of course.



Figure 1. According to Quantcast, 86% of those who visit the Windows Secrets site have no kids under 18; 19% make more than $100,00 per year; and 17% at least walked through part of grad school.

It's in the best interest of these companies to continually gather data about Web-site visitors. Cookies, as already mentioned, are a key part of that process. Zombie cookies undoubtedly contribute to keeping these tracking cookies alive for as long as possible.

Take control of Flash cookies with PC cleaners

Controlling Flash LSOs, and thus eliminating zombie cookies, is a pain in the neck if you use the Adobe method, which involves futzing around with a very unfriendly Web site. I talk about the official method in my October 2008 article.

For Firefox users, an add-in can now help. To control Flash cookies, just download (page) and install the BetterPrivacy add-in for Firefox.

For cleaning Internet Explorer, there are two products ? both free ? you can try: CCleaner, available for download on Piriform's home page, and Flash Cookies Cleaner 1.2, offered as a free download on Softpedia's site.

Certainly, the zombie cookie approach to subverting a user's direct commands ? reinstating a cookie after the user has explicitly deleted it ? constitutes some sort of privacy invasion. Whether it's actionable in court is anybody's guess.

Should be quite interesting.

I already use CCleaner and just installed Better Privacy. After installing it I found a ton of hidden flash cookies from various sites that I've been to and had forgotten all about! Bye-bye cookies!  :wave:

Offline Ken

  • Vietnam Era Veteran
  • Administrator
  • *
  • Posts: 11937
  • Gender: Male
  • View Gallery
Re: The Undeletable Cookie: Flash Cookies
« Reply #1 on: August 07, 2010, 08:38:53 AM »
Cookies have been around for years now, almost from the beginning of the internet. There started to be major security concerns as far back as 2000 because by then advertisers had discovered that they could track our internet use by placing cookies in our browsers and on our PC's.

Thanks for posting this article Steve, it has been a good long while since the last time I checked my cookies.   :innocent:
"Not all who wander are lost."-Tolkien
Yesterday When I was Young.

Offline Skhilled (OP)

  • Administrator
  • *
  • Posts: 9424
  • Gender: Male
  • All of my passwords are protected by amnesia...
  • View Gallery
    • Buildz Hosting
Re: The Undeletable Cookie: Flash Cookies
« Reply #2 on: August 08, 2010, 01:41:02 PM »
I delete my cookies regularly but did not know that the flash ones reacted this way until now.