Hi folks,
The security situation with Flash Cookies is even worse, Flash Cookies are found to be able to circumvent Private Browsing and the so-called Pr0n button in many a browser. This is the reality: http://aviv.raffon.net/2009/08/17/NotSo ... erAll.aspx
See a POC here: http://www.bestflashanimationsite.com/s ... object.swf
Is not it time for Adobe to sit around the table with browser makers and discuss this issue, because until then what is the use of Private Browsing?
A good general proggie to do this on a Windows box is:http://files.geoapps.com/files/KillFlas ... ashCookies
luntrus
Flash Cookies
Re: Flash Cookies
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1) Gecko/20090806 Namoroka/3.6a1
Re: Flash Cookies
Whats more, is that it is a "global" cookie.
So it persists between browsers & browser families.
Once it is set, it appears in SeaMonkey. And in FF too. And also in IE (including its' Private Browsing)!
So it persists between browsers & browser families.
Once it is set, it appears in SeaMonkey. And in FF too. And also in IE (including its' Private Browsing)!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1pre) Gecko/20090717 SeaMonkey/2.0b1
-
- Senior Member
- Posts: 240
- Joined: Fri Jul 03, 2009 7:20 am
Re: Flash Cookies
Results of a session testing Silverlight plugin in Fx, wrt cookie storage and management.
It compares more favourably than Flash cookie management, but is essentially the same process. In particular, the super-cookie (which MS calls "Isolated Storage") may have the same persistence potential as the Flash kind. In my tests I couldn't distinguish between what may have been zombie cookies and new ones. I have no clue about scripting, but there appears to be a lot of flexibility wrt JS interacting with Silverlight.
I installed Silverlight and used the settings manager http://www.microsoft.com/silverlight/re ... orage.aspx
to opt out of any cookies by unchecking the "enable application storage" Very straightforward interface, far better than Flash.
Then visited itv.com - which is a messy mix of flash and silverlight, but it's the only site with content that I had a chance of understanding what cookies may be used for.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46648
Played fine without anything extra getting written to
%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\Silverlight
Then I enabled storage and tried another session.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46195
Played fine and nothing extra written to in the Silverlight directory.
I have no clue, probably cookies are all looked after with JS here; there is an extra directory of "sam.itv.com" cookies as well as the "itv.com" directory - - and there's a file "mssl.lok" in the Silverlight directory that gets accessed at each use of Silverlight plugin.
The potential for the same kind of extra-browser tracking is clearly there.
So the directory's probably best cleaned out whenever the Flash directory is cleaned.
It compares more favourably than Flash cookie management, but is essentially the same process. In particular, the super-cookie (which MS calls "Isolated Storage") may have the same persistence potential as the Flash kind. In my tests I couldn't distinguish between what may have been zombie cookies and new ones. I have no clue about scripting, but there appears to be a lot of flexibility wrt JS interacting with Silverlight.
I installed Silverlight and used the settings manager http://www.microsoft.com/silverlight/re ... orage.aspx
to opt out of any cookies by unchecking the "enable application storage" Very straightforward interface, far better than Flash.
Then visited itv.com - which is a messy mix of flash and silverlight, but it's the only site with content that I had a chance of understanding what cookies may be used for.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46648
Played fine without anything extra getting written to
%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\Silverlight
Then I enabled storage and tried another session.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46195
Played fine and nothing extra written to in the Silverlight directory.
I have no clue, probably cookies are all looked after with JS here; there is an extra directory of "sam.itv.com" cookies as well as the "itv.com" directory - - and there's a file "mssl.lok" in the Silverlight directory that gets accessed at each use of Silverlight plugin.
The potential for the same kind of extra-browser tracking is clearly there.
So the directory's probably best cleaned out whenever the Flash directory is cleaned.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2