2

I've just discovered Evercookie project on Github.

Evercookie is a Javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

This is accomplished by storing the cookie data as many browser storage mechanisms as possible. If cookie data is removed from any of the storage mechanisms, evercookie aggressively re-creates it in each mechanism as long as one is still intact.

If the LSO mechanism is available, Evercookie may even propagate cookies between different browsers on the same client machine!

I tested it online, on this example page. I clicked "Create evercookie" button, I deleted all browsing data and I refreshed the page. The cookies that were deleted by deleting browsing data returned again there.

Where is the browser security in this thing? Is this secured?

Community
  • 1
  • 1
Ionică Bizău
  • 109,027
  • 88
  • 289
  • 474
  • 1
    DO NOT USE THIS! Chrome will block scripts with evercookie in the name, which is your first clue that it's bad news. If you rename it, Chrome sees a global variable named evercookie and sends a request to Google's servers to log your site's URL. If you're using it on a production website, I assume that your domain will be marked as unsafe. – Golphy Aug 29 '16 at 21:21
  • 1
    (I know there are 6 years, but still... ) The question you asked is whether Evercookie should be used or not, but the accepted answer is indicating how to protect from its invasive behavior. I am also interested to find out others opinion - so how did you see the accepted post as the response at your question ? Other way said - what did you found out, it is ok or not ? – Victor Sep 29 '19 at 13:30

3 Answers3

2

If you want to disable Flash based cookies, use Adobe's "Global Storage Settings" panel here:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

Perform all of these Steps:

  1. Uncheck "Allow 3rd Party Flash Content to store data on your computer"
  2. Check "Never ask again" (a non-obvious, but important step)
  3. Click the 2nd to last tab: "Website Storage Settings"
  4. Delete all existing data

Chrome bundles its own Flash plugin on Windows and Mac OS X. The settings and disk storage are separate from the plugin packaged directly by Adobe, so you may need to perform the above steps twice if you use Chrome. On the plus side, the separate storage location prevents Flash from being used to synchronize cookies to or from Chrome and other browsers.

I recommend testing with my personal site:

http://noc.to

The "Zombie Cookie" section can show you exactly how cookies are being restored and help you determine if the above steps (or any tools you use) are working.

dimalinux
  • 839
  • 8
  • 8
1

In order to create an Evercookie, all you need is:

  • The ability to run JavaScript (or other active content, like Flash and perhaps Java); and
  • The ability to access the various client-side locations where copies of the cookie data are stored.

Totally disabling access to all storage mechanisms would render most of them useless; for most of them, their whole reason for being is to allow a script to use them. So the only even remotely feasible option is restricting access by domain. I'm not sure what browsers (if any) allow that kind of granularity, though. Most can allow or block JS as a whole from certain domains, but as for what features a given domain's scripts can use...? I'm not seeing that ability in Chrome 26 or IE 10, at least.

cHao
  • 84,970
  • 20
  • 145
  • 172
1

Well, it doesn't seem to work that well.

  • Created the everCookie
  • Closed the window
  • Empty all elements of Firefox cache (just by going to delete recent history anc check everything except site preferences)
  • Closed the window
  • Came back to the page
  • Finally realized it wasn't stored

What is strange is that I dind't explicitely removed Flash cookies in Flash Website Storage Settings panel. Maybe it's integrated into Firefox. Or I may have disabled them.

I think there's several other ways to store cookies and trace you. Facebook is already tracking you all over the web, even when disconnected. Google too (do you use Chrome?). Moreover, with IPv4 addresses, we certainly can find you back (why not just after you've emptied your cache!). We also can find you back while logging back on any site, and make a link with your previous sessions.

I suggest:

  • Using Firefox, even it's slower than Chrome, it's still more respectful of privacy
  • Removing the whole Internet cache on window close (sorry you'll have to log again on your preferred sites)
  • Check third-party cookie options
  • Use browser addons with care
  • Check Flash & Silverlight cookie options
  • Avoid website reputation checking (provided that you can recognize a fishing attempt)
  • Use private browsing mode when you don't want to share your digital lives
KrisWebDev
  • 9,342
  • 4
  • 39
  • 59