Flash Cookies

General discussion about web technology.
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Flash Cookies

Post by luntrus »

Hi folks,

The security situation with Flash Cookies is even worse, Flash Cookies are found to be able to circumvent Private Browsing and the so-called Pr0n button in many a browser. This is the reality: http://aviv.raffon.net/2009/08/17/NotSo ... erAll.aspx
See a POC here: http://www.bestflashanimationsite.com/s ... object.swf
Is not it time for Adobe to sit around the table with browser makers and discuss this issue, because until then what is the use of Private Browsing?
A good general proggie to do this on a Windows box is:http://files.geoapps.com/files/KillFlas ... ashCookies

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Flash Cookies

Post by therube »

Whats more, is that it is a "global" cookie.
So it persists between browsers & browser families.

Once it is set, it appears in SeaMonkey. And in FF too. And also in IE (including its' Private Browsing)!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090717 SeaMonkey/2.0b1
Grumpy Old Lady
Senior Member
Posts: 240
Joined: Fri Jul 03, 2009 7:20 am

Re: Flash Cookies

Post by Grumpy Old Lady »

Results of a session testing Silverlight plugin in Fx, wrt cookie storage and management.
It compares more favourably than Flash cookie management, but is essentially the same process. In particular, the super-cookie (which MS calls "Isolated Storage") may have the same persistence potential as the Flash kind. In my tests I couldn't distinguish between what may have been zombie cookies and new ones. I have no clue about scripting, but there appears to be a lot of flexibility wrt JS interacting with Silverlight.

I installed Silverlight and used the settings manager http://www.microsoft.com/silverlight/re ... orage.aspx
to opt out of any cookies by unchecking the "enable application storage" Very straightforward interface, far better than Flash.
Then visited itv.com - which is a messy mix of flash and silverlight, but it's the only site with content that I had a chance of understanding what cookies may be used for.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46648
Played fine without anything extra getting written to
%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\Silverlight

Then I enabled storage and tried another session.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46195
Played fine and nothing extra written to in the Silverlight directory.

I have no clue, probably cookies are all looked after with JS here; there is an extra directory of "sam.itv.com" cookies as well as the "itv.com" directory - - and there's a file "mssl.lok" in the Silverlight directory that gets accessed at each use of Silverlight plugin.
The potential for the same kind of extra-browser tracking is clearly there.
So the directory's probably best cleaned out whenever the Flash directory is cleaned.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Post Reply