Introducing the Invulnerable Evercookie 332
An anonymous reader writes "Using eight different techniques and locations, a 'security' guy has developed a cookie that is very, very hard to delete. If just one copy of the cookie remains, the other locations are rebuilt. My favorite storage location is in 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' — awesome."
Not hard to beat at first glance. (Score:4, Informative)
evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs.
[...]
If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.
Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.
YMMV
Re:Not hard to beat at first glance. (Score:5, Insightful)
That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown. YMMV
I take your point, but most people use neither of these things and will be at the mercy of persistent tracking. Of course anyone who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies). Especially since "Private Browsing" modes have been shown to retain information.
Re:Not hard to beat at first glance. (Score:5, Insightful)
who doesn't know what a cookie is probably won't be affected by this in any way (i.e. they're already being tracked through regular cookies).
There's all kinds of databases on people available. Search and you shall find.
All data circulates easily and is simply very hard to stop. It is indeed like speech, it just happens, anyone can do it. Copyrighted data, personal data, credit data, secret data, whatever. Bottom line, gathering and selling various gray-black-market data is illegal immoral etc, and very doable and very interesting for companies and organizations of all types. Not unlike downloading movies is for many - illegal but easy and interesting data. It's the interests that are different.
Re: (Score:2)
"...most people use neither of these things..."Then woah unto them. If you're not clued in by now to simple web security measures I recommend you do so. I use ff exclusively because of NoScrypt and BP. Doing anything different is simply stupid. Sorry Chrome.
Re:Not hard to beat at first glance. (Score:5, Insightful)
Thhe purpose of "Private Browsing" isn't to protect your privacy from websites while you surf, it's to protect your privacy from your SO when she comes home and sees your web history.
Re: (Score:3)
Re:Not hard to beat at first glance. (Score:4, Informative)
running browser in Sandboxie would also do the trick
Re:Not hard to beat at first glance. (Score:4, Informative)
Thanks for the reminder. Last time I looked into sandboxie, it did not support 64 bit operating systems, which is does now. Using it is a lot easier on the CPU and more convenient than creating a VM with a Web browser in it and rolling it back when done for that session.
With Unity mode on VMWare Workstation or the equivalent on Windows 7 and XP Mode, keeping a Web browser in a sandbox isn't that much work, especially if one is having to use a backlevel version of IE for some websites that force IE6, and even does JS/VBScript checks to check for a changed UserAgent field.
Re: (Score:3, Informative)
Actually it doesn't perfectly support 64 bit [sandboxie.com], but it will run and probably do a good enough job. You might also want to try Shadow Defender [shadowdefender.com]. It has fully supported 64 bit for a long time. It is paid software, but I think there are some free versions floating around if you have a parrot on your shoulder.
Re: (Score:2, Informative)
Use PrefBar [mozdev.org].
Cost: One horizontal toolbar's worth of vertical space.
Benefit: User-configurable single-click access to toggle checkboxes that control not only Javashit, Flash, and Java, bu
Re: (Score:3, Informative)
Failed for me too.
The text displayed, an error was generated, then "The page cannot be displayed"
Internet Explorer cannot open the Internet site http://samy.pl/evercookie/ [samy.pl]. Operation aborted
Re: (Score:3, Informative)
... soon to be followed by the evercookiemonster by same "security" guy, right?
http://farm1.static.flickr.com/119/299000164_4d7398dbf6.jpg?v=0 [flickr.com]
Re: (Score:2)
Well, the site's EXAMPLE failed on my box. That's NoScript at work. If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.
So NoScript blocks this? It also says on the page that clearing the LSO will no matter so I don't think that BetterPrivacy will help with this.
Re: (Score:3)
I also run NoScript + BetterPrivacy. Also CsFire, though it's difficult to leave that enabled, since so many sites (like PayPal) won't work with it enabled.
If all that ever fails, I'll just start running PortableFirefox and restoring all the files from a read-only master image on every browser startup.
Re: (Score:3, Informative)
evercookie is written in JavaScript and additionally uses a SWF (Flash) object for the Local Shared Objects and PHP for the server-side generation of cached PNGs. [...] If a user gets cookied on one browser and switches to another browser as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers. Well, the site's EXAMPLE failed on my box. That's NoScript at work.
Same here. But what if this script were used by a website for which you need or want to enable scripting?
If you use BetterPrivacy (another FF extension), it removes the LSO at browser shutdown.
Which helps, but doesn't solve the problem, since the cookie is also stored in a cached PNG's RGB values and in your browser history, and in a bunch of HTML5 related storage options that your browser may or may not support and betterprivacy may or may not have been updated to take care of.
Re: (Score:3, Informative)
Firefox 4 Beta 6 with AdBlock+ and changing %homepath%\Application Data\Macromedia from folder to a system file stops this. You do have to set Firefox to clear all browsing data upon exit. Tested also flushing the browser data while browser being open and it works as well. The site can't keep 'evercookies' on my machine. However changing Macromedia folder from folder to file will break a few websites that use heavily flash.
Re: (Score:3, Informative)
Not having NoScript, but FlashBlock, some interesting observations - that indicate a bug in FF even.
The cookie stored in the history data is not updated. I haven't poked through my history but guess I have several stored there now, and evercookie only reads the first it finds. Hence that's the oldest one always. A bug in the storage algorithm.
More seriously, it seems there is data leaking from Private Browsing to normal browsing mode, while Private Browsing shouldn't leave any traces of the session. When
Need a BetterPrivacy for HTML5 storage (Score:3, Interesting)
Marketing scumbags are already exploiting the lack of privacy controls on HTML5 storage (window.localStorage for one) in the wild, and once scripts are running no plugin will take care of that. As browsers continue to be swiss cheese where privacy is concerned, a BetterPrivacy-like plugin to clear these storage locations will be needed.
Seriously, AFAIK NO browser even handles Flash cookies AT ALL by default, and those have been a problem for years. When are Microsoft/Apple/Google/Mozilla/Opera going to fix
"That's the great thing about evercookie" (Score:4, Insightful)
That's the great thing about evercookie
I disagree. Strongly.
I guess it's good that this is out in the open so we know about it, and hopefully the major browsers can all do something to help prevent it. But still: don't like, don't like at all.
Re:"That's the great thing about evercookie" (Score:5, Interesting)
You can't blame someone for a "method" when it is openly explaining how it is doing what it is doing, using the existing software. Yes, he is pushing it as a "feature", when it is in fact due to a flaw in the overall design of all browsers. It is much better for the information to be released like this than to find out a year after it is fully integrated into every piece of malware.
Hacking at its finest.
Re:"That's the great thing about evercookie" (Score:5, Informative)
it's not his research either. this has already been observed in the wild and already reported by ars technica.
http://arstechnica.com/tech-policy/news/2010/08/ad-firm-sued-for-allegedly-re-creating-deleted-cookies.ars
the advertisement company got already sued for it.
Re: (Score:2)
Re: (Score:3, Informative)
No kidding. It was bad enough in the days when there were all sorts of cookies throwing illegal characters (wildcards, normally path-related characters, etc) in the filename to prevent deletion. Particularly when the "cookie" itself didn't actually have data, they just tried to stick every bit of info into the fucking filename.
And of course there have been all the programs that hide "registration" data - or even, sometimes, "never work again" flags - somewhere deep in randomly-named registry keys as pure nu
Re:"That's the great thing about evercookie" (Score:5, Insightful)
There's no possible justification for this project.
"To show everyone what the black hats and spammers are going to be doing", sounds good enough to me.
Re: (Score:2)
It was bad enough in the days when there were all sorts of cookies throwing illegal characters (wildcards, normally path-related characters, etc) in the filename to prevent deletion. Particularly when the "cookie" itself didn't actually have data, they just tried to stick every bit of info into the fucking filename.
That would be a bug in Internet Explorer which moronically uses the system filesystem to index cookies instead of storing them in a more sane data structure. If it didn’t sanitize the names properly before creating files, well, that’s just icing on the cake when it comes to stupidity...
Remember? (Score:4, Interesting)
Remember a time back in the mid-to-earlylate 90's when cookies had a super negative connotation to them? I find it interesting how integral they've become to experiencing the Internet in a timely fashion...
Re: (Score:2)
I sincerly doubt that evercookie has any use which isn't tracking.
Why else would you need a cookie which is hard to delete? You think saving your login information so that it is rebuilt when you press logout is a good idea?
Re: (Score:2)
it's purpose is to inform us of the issues so they can be fixed ASAP (rather then ignored while people 'roll there own' and get away with it for longer).
Re: (Score:2)
Remember a time back in the mid-to-earlylate 90's when cookies had a super negative connotation to them? I find it interesting how integral they've become to experiencing the Internet in a timely fashion...
How integral is it? I'm half suspicious and half curious. What can cookies do from a user perspective (Not interested in the ever so delightful 'targeted ads') that can't be accomplished by simply allowing your browser to manage your passwords and not the site? Granted it's how the site knows to keep y
Re:Remember? (Score:5, Informative)
Well, html is unable to save session information. So you need cookies for that. There is no other reliable and non-user-unfriendly alternative.
When you 'log in', you are given a cookie, which the page reads and uses to identify you. That's one of the more common 'useful' uses for cookies.
Cookies can also store small amounts of data in them (ever been to a website which tells you "Pick Language" and then lets you "[ ] Always remember this choice"? That's also a cookie.
And last but not least, they're good at identifying you so that other adverts (on other sites) note the cookie and are able to link your presence on Site A to the one on Site B then data-mine
Re: (Score:2)
Well, html is unable to save session information. So you need cookies for that. There is no other reliable and non-user-unfriendly alternative.
Yes, there is. It's called hidden form values, and it's actually more reliable than cookies, because you can't trivially block them.
Re: (Score:2)
Do those work if you leave the site and return agian?
If I go to slashdot and post a bit. Close the tab and go there again will the hidden form values persist? The way my (quick research) understood them is similar to appending stuff to the URL, except that it doesn't show.
Re: (Score:2)
Do those work if you leave the site and return agian?
Nope. But then, neither do cookies, necessarily; a user might have them disabled. Lots of sites force you to log in on every visit and browsers remember passwords these days so it's a totally valid model.
Re: (Score:2)
It's what I use on my other-other site's tools.
I have some pages devoted to small animal breeding and I use hidden CGI fields to maintain state data between pages. I also sign the data and check the signature before accepting it. Works fine for me.
-nB
Re: (Score:2)
For a site like Slashdot that's running a database back end, all the session info could be stored directly on the database, so the only thing you need on the client side is the identification cookie.
You're kind of correct about the hidden form variables, though the thing that will determine whether data shows in the URL or not is whether the form submits via GET or a POST.
Re: (Score:2)
Also how would hidden form values persist when clicking on links? I imagine you'd have to set up each page as one big form... It doesn't sound ideal.
Re: (Score:2)
It's not, but we have a name for it: ASP.NET
Seriously, everything is a form and everything gets posted back to the server. It even has checks to make sure the user didn't fiddle with the form data before re-posting it. It can do a basic sanity check, or it can do a more secure check if you like, if you're doing secure type stuff.
The problem with form fields is it's trivial for the user to edit it. A little knowledge is all that's required. So you store the user's name somewhere, the user changes the val
Re: (Score:2)
Hidden form values would basically be passed along to each page for the duration of your session at the site. As soon as you close that tab, that state is lost and you'd have to login again.
Cookies get a bad rap but they're pretty useful for most sites. It's just the tracking cookies used to log your browsing history that have given them a bad reputation. But you can thwart those easily by using a custom hosts file, such as the one located on this page [mvps.org].
Re: (Score:2)
Re: (Score:2)
Except for that they don't get transmitted from page to page unless you're doing form submissions. Kind of a big deal, I'd say...
If you're using a CMS then it's trivial to make all links into form submissions one way or another, you don't even need javascript. Not a big deal, I'd say...
Re: (Score:2)
Unless something has changed recently in HTML, hidden values on forms are a much inferior method for storing state than cookies. Typically when a cookie is being used to store state (as opposed to to tracking info or something) is only stores a session ID. That session ID is the index to all of your stored values on the server. Let's say you have a multipage form, on the first page you enter your name, address and phone number, n the second your credit card information. The information from the first pa
Re:Remember? (Score:4, Insightful)
Hidden form values have the annoying tendency of breaking the back button. That, in my mind, is a far greater sin than cookies.
Re: (Score:2)
And last but not least, they're good at identifying you so that other adverts (on other sites) note the cookie and are able to link your presence on Site A to the one on Site B then data-mine
Seems the ad companies are the ones most interested in gathering and storing all data possible, to predict what to advertise and sell. Marketing can use all kinds of information on a user, their purchasing habits, address, income level, tv programs, car model, times of access, times of tv viewing, programs viewed, favorite colors, religion, beliefs, voting habits, favorite joks, everything can be converted to a sale and profit with the proper marketing. Of course all this data on the whole population can
Re: (Score:2)
Well, html is unable to save session information. So you need cookies for that. There is no other reliable and non-user-unfriendly alternative.
I wouldn't consider putting a session ID in the URL to be "user-unfriendly". Maybe a little ugly, but how does it actually impact users?
Re: (Score:2)
What happens when I change one of those pretty numbers?
Re: (Score:2)
why do any of them need to persist and be public to other sites?
so I'm ignorant on this subject.
Erm they arent public to other sites?
HTTP has no 'state' information. Two hits from one user could very easily be two separate hits from two separate users.
There is no way to know without cookies. You dont exactly want the guy next to you getting logged in to your Twitter account.
Persistent cookies (that stay when you close your browser) are needed for stuff like 'Keep me logged in'.
Again, no other possible way to do it without cookies.
Re: (Score:2)
Good.
I have no need for that. If I want to stay logged in why would I close the browser?
Good.
Re: (Score:2)
It's pretty much impossible to use the modern web without cookies.
Heck, it's pretty difficult to use it without Javascript. Try disabling Javascript and see how far you get. Many sites simply don't work without JS turned on.
Cookies in and of themselves are not necessarily evil. You really need them to do shopping baskets, for instance. The problem is that they can be used for evil.
Re: (Score:2)
>Remember a time back in the mid-to-earlylate 90's when cookies had a super negative connotation to them?
I remember a couple BS lawsuits from guys who thought they could get rich quick.
I guess there's an argument to tracking cookies, but if you are at war with the ad networks you might as well pull the nuclear option and install adblock and be done with it.
Nowadays, the bigger threat is that these ad networks get hacked frequently and start spreading malware. Its incredible how badly advertising on the n
And now... (Score:5, Insightful)
Whenever someone goes through all the trouble of adding additional ways of tracking people - someone goes through all the trouble of finding ways of removing it.
There's no such thing as Invulnerable - See also: DRM and Copy-Protection
Re: (Score:3, Insightful)
No, but the people who do the tracking dont care about you.
They want everyone else who doesnt try to evade tracking, which is a lot more people.
Re: (Score:2)
So why would they need an "Invulnerable" cookie to do that?
If you're raising the bar to block people who purposely take down your ad cookies - you're expecting the same subset to attempt to take down your super-cookie.
Re: (Score:2)
Some people don't care as much as the average Slashdotter about tracking but will still clear their cache and cookies once in a while. It would be better (from the advertiser/tracker's point of view) if they didn't do that as it makes you (a bit) harder to follow.
Re: (Score:2)
In which case why do you they so many ways of stopping simple evasion methods from working?
Personal browsing habits for sale (Score:2)
The PNG thing isn't that unexpected (Score:2)
Now the history brute forcing is creative, and rather creepy as well. Browsers should close that hole.
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
That's something different.
Developers take note (Score:5, Insightful)
If you have to go to great lengths to work around customers doing things like deleting cookies then you are doing something wrong or evil.
Re: (Score:3, Insightful)
...or you're doing something that users expect to "just work". My grandmother had a perfectly fine time using GMail, until my uncle heard that cookies should be deleted for privacy. I got a phone call after that where I had to figure out why "email isn't working".
I can see valid uses for this, and I can see malicious uses. I suppose it's good that something's out there making us developers think about these techniques.
Re: (Score:2, Insightful)
That's not a problem with cookies being easy to delete, that's a problem with the user not understanding what they're deleting. In the same way that making it imposible to delete word documents is a bad idea, making it imposible to delete cookies serves no beneficial purpose to the user.
Re: (Score:2)
Re: (Score:2)
The feature where it remembers your sign-on information. Grandma is used to just going to the site and there's her email--now it's asking for a username and a password, and Lord, she doesn't know what it wants!
Re: (Score:2)
If you have to go to great lengths to work around customers doing things like deleting cookies then you are doing something wrong or evil.
Yes. And therefore someone will pay you more for it. The choice is up to each one. But let's not be naive, lots of people are doing it, for a long time now, and getting away with it just fine.
Re: (Score:2)
Or how about in violation of computer security laws? Any website that uses this technique is clearly trying to use the client's computer in an unauthorized fashion. Otherwise they'd just use a simple cookie.
nietzsche quote applies: (Score:2)
"when you look into the abyss, the abyss also looks into you"
cookies by steganography?
game over
i suppose you can browse without flash, javascript, cookies, AND images disabled. but that's not exactly a rockin' web experience
Re: (Score:2)
that's not exactly a rockin' web experience
I use w3m you insensitive clod!
Re: (Score:3, Interesting)
Why would you need to? Cached images don't get uploaded during normal page rendering. You need some sort of client-side scripting to look at the cached image. So disabling flash and javascript would be enough to turn this into a normal cookie, and disabling cookies as well would defeat it completely.
My browser was setup that way already, but that's just the way I roll...
Re:nietzsche quote applies: (Score:5, Interesting)
Rather than disabling and trying to defeat all these tracking mechanisms I think it would be easier to flood them with false information. Someone should set up a cookie sharing site and FF extension that trades (safe, non-identifying) cookies amongst all the users of that extension. Why yes, I did visit mylittlepony.com directly between visits to journalofparticlephysics.edu and horsesluts9.com, why do you ask?
Not Really (Score:4, Insightful)
Advertisers and site operators might complain that this behavior costs them revenue, but they should have thought about that before going all Big Brother on us. If you're going to try to trick me into clicking an ad on your site, I don't want anything to do with your site anyway. And I do occasionally click through ads on Slashdot and Google.
Re: (Score:3, Insightful)
It will not drive more users to noscript and flashblock because then websites will not 'just work' anymore and it will be a pain to them to whitelist every script they don't know what they do for every websites one by one...
Browser on a VM then? (Score:5, Interesting)
This leaves me no option but running my browsing session in an undoable-mode VM, where after a reboot, all comes back to the previous state. Will this be the only way to maintain my privacy going forward?
Re:Browser on a VM then? (Score:5, Insightful)
No. You could also stop using the Internet.
Re: (Score:2)
HA HA HA woooooo, good one. You sound like one of those abstinence-only fundies. Seriously, though, using virtual machines is the only option. Build your image and zip/rar/whatever it. Then you script it so the IE icon launches the VM, with your browser of choice set to autorun, and when the app exits it unzips the image over the VM you just used. Do this post-use so startup time is only marginally slow.
You'd have to have a web-based attack that could break th
Re: (Score:2)
This leaves me no option but running my browsing session in an undoable-mode VM, where after a reboot, all comes back to the previous state. Will this be the only way to maintain my privacy going forward?
It would help, but ideally you would be able to run each browser tab in a different virtual machine partition.
Privacy for 99% of people doesn't exist (Score:3, Interesting)
- Hard question - if actual privacy is only for a few, who largely use it as cover to secretly abuse the rights of the other 99%, are we defending privacy rights just for them? Put simply, transparency in government and management, accountability, public participation, are not very compatible with secrecy.
RGB values of auto-generated... (Score:2)
I call the patent on this!!!
Re: (Score:2)
You might want to check for prior art [samy.pl].
force-cached PNG's (Score:2, Informative)
So basically if you clear your cache, as well as your cookies/LSO's all should be well. At least at the end of the browser session.
Another YAYdiots to the Mozilla Developers, for scrapping one of the best features in FF: Clearing the History window on exit. So sad you need an extra extension now what, as this story demonstrates again, should be an integral and visible part of any browser.
Re: (Score:2)
Are you talking about the Firefox 4.0 beta? Because in the latest version of 3.6, you can still set it to clear the history on exit in the normal settings.
Re: (Score:2)
> Because in the latest version of 3.6, you can still set it to clear the history on exit in the normal settings.
I am talking about having a visible "Clear History" window pop up on exit. One that has your pre-set choices from the browser preferences already checked, with the option of overriding the defaults.
Yes you still can delete the history automatically, but there is no indication that this actually is taking place.
It's less about what's being done or not...it's about *knowing*...in a very clear an
Re: (Score:2)
Re: (Score:2)
> Firefox's built-in Private Browsing already does this.
No, it doesn't. It's, although they overlap, a separate issue altogether.
Private browsing will not save pretty much anything while browsing (and subsequently leave no traces on exit). Certainly not a bad thing but somewhat unnecessary since:
Clearing the history on exit removes everything you check(ed). This gives you much more flexibility in multiple ways. The private browsing mode you mention may only be turned on during parts of the browsing sessi
Re: (Score:2)
So, the checkbox that lets you clear history without asking isn't good enough for you?
Re: (Score:2)
Which version are you using? Here in 3.6.10 on Windows I've got the option to "Clear History when Firefox closes" with it's own settings dialogue to customise what gets removed. I think you have to select "use custom settings for history" in order for the option to appear.
Re: (Score:2)
> Which version are you using?
3.5.12
> Here in 3.6.10 on Windows I've got the option to "Clear History when Firefox closes"
> with it's own settings dialogue to customise what gets removed.
I am aware of it. But there used to be the additional option of having that same selection as a pop-up window on exit (closing the browser). This was done away with...dunno...with 3.5+, I think. That's what I mean. Install the BetterPrivacy Plugin to see roughly, what it was about.
Re: (Score:2)
> Wow, what a fucking tragedy.
Despite your cynicism, yes it is, when a browser gets worse for no good reason.
Re: (Score:3, Informative)
CSS (Score:2)
How about also adding CSS cookies as part of this cool evercookie thing? I am interested at looking into it. CSS has to have something there, some values to be stored as part of style sheet and then upon loading of the page check for CSS settings to get the values back. hhmmmmmmm.
The data black market (Score:2)
At least Linux users can... (Score:5, Informative)
Wonka (Score:3, Funny)
The Invulnerable Evercookie sounds like something dangerous from Willy Wonka's factory.
Samy is my hero (Score:3)
a 'security' guy
You know this guy is Samy Kamkar, the hacker who also unleashed the first-ever XSS worm [namb.la] on the world that infected a million MySpace profiles in a matter of hours...
Tomorrow I happen to attend a meeting of OWASP [owasp.org] where Samy will speak about the latest XSS exploits, other JavaScript tricks, and other things (like a nice new method of NAT penetration)... I could say the title 'security guy' is earned by him for finding some great hacks and sharing them with the world, and even taking time to talk about it in person to the open source community.
but most of all, Samy is my hero
Doesn't work as advertised (Score:2, Informative)
Cookie? (Score:5, Insightful)
Re:Cookie? (Score:5, Funny)
Vista?
Demo didn't work for me (Score:3, Interesting)
Am I the only one doing the demo on the page and having it fail completely? I just tried it in Firefox and Camino on OS X and neither worked.
Re: (Score:2, Interesting)
Re: (Score:3, Informative)
Programmers don't always equate to good designers. And good designers probably aren't good programmers. (Exceptions exist, but true for the most part).
Otherwise, we wouldn't have terms like "programmer art".
Re: (Score:2)
Problems such as games not being developed natively? Sweet, sign me up! Unless you're going to point me to OSX. I installed Ubuntu on my MBP to get around OSX problems.