Thursday, October 14, 2010

Evercookies: evil user tracking

Many web browsers permit the users to delete the cookies, and this makes tracking user's behavior  more difficult. But, an evil mind thought that using other storage areas that are not meant for storing cookies could bypass the control mechanisms.

An evercookie is defined as:
Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. 
evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.


Jeremiah Grossman points out in his article to an evercookie demo and to the attempts  made by Dominic White to defeat this tracking system. Dominic comments that Firefox should be safe by default (?) but Safari not, and he created shell script that deletes the temporary files.

Apparently,  Jeremiah found a way to remove this cookies in Google Chrome and only using the GUI. It is achieved by disabling the Silverlight and Flash storage settings.

No comments:

Post a Comment