InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Flash Cookies

https://forums.informaction.com/viewtopic.php?t=2325

Page 2 of 2

Re: Flash Cookies

Posted: Tue Aug 18, 2009 9:43 pm
by luntrus
Hi folks,

The security situation with Flash Cookies is even worse, Flash Cookies are found to be able to circumvent Private Browsing and the so-called Pr0n button in many a browser. This is the reality: http://aviv.raffon.net/2009/08/17/NotSo ... erAll.aspx
See a POC here: http://www.bestflashanimationsite.com/s ... object.swf
Is not it time for Adobe to sit around the table with browser makers and discuss this issue, because until then what is the use of Private Browsing?
A good general proggie to do this on a Windows box is:http://files.geoapps.com/files/KillFlas ... ashCookies

luntrus

Re: Flash Cookies

Posted: Tue Aug 18, 2009 10:59 pm
by therube
Whats more, is that it is a "global" cookie.
So it persists between browsers & browser families.

Once it is set, it appears in SeaMonkey. And in FF too. And also in IE (including its' Private Browsing)!

Re: Flash Cookies

Posted: Wed Aug 19, 2009 8:31 am
by Grumpy Old Lady
Results of a session testing Silverlight plugin in Fx, wrt cookie storage and management.
It compares more favourably than Flash cookie management, but is essentially the same process. In particular, the super-cookie (which MS calls "Isolated Storage") may have the same persistence potential as the Flash kind. In my tests I couldn't distinguish between what may have been zombie cookies and new ones. I have no clue about scripting, but there appears to be a lot of flexibility wrt JS interacting with Silverlight.

I installed Silverlight and used the settings manager http://www.microsoft.com/silverlight/re ... orage.aspx
to opt out of any cookies by unchecking the "enable application storage" Very straightforward interface, far better than Flash.
Then visited itv.com - which is a messy mix of flash and silverlight, but it's the only site with content that I had a chance of understanding what cookies may be used for.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46648
Played fine without anything extra getting written to
%USERPROFILE%\LocalSettings\ApplicationData\Microsoft\Silverlight

Then I enabled storage and tried another session.
http://www.itv.com/ITVPlayer/Video/defa ... lter=46195
Played fine and nothing extra written to in the Silverlight directory.

I have no clue, probably cookies are all looked after with JS here; there is an extra directory of "sam.itv.com" cookies as well as the "itv.com" directory - - and there's a file "mssl.lok" in the Silverlight directory that gets accessed at each use of Silverlight plugin.
The potential for the same kind of extra-browser tracking is clearly there.
So the directory's probably best cleaned out whenever the Flash directory is cleaned.
All times are UTC
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited