bit-tech.net

Evercookie will track you down

Evercookie will track you down

Kamkar's Evercookie resists deletion - and can even track you between different browsers.

Security researcher Samy Kamkar has released a particularly insidious tool designed to create browser cookies that you simply can't delete - the Evercookie API.

Using a raft of techniques, Kamkar is able to generate a series of cookies that can survive multiple purges and even track a user between browsers.

The Evercookie works by creating a series of linked cookies using a variety of different storage methods: standard HTTP cookies, which can be cleared from the browser; Local Shared Objects via Flash, which only operate when a Flash plug-in is installed but require a separate clean-up and which can be detected from any Flash-enabled browser; HTML5's session storage, local storage, global storage, and database storage via SQLite; cleverly manipulated page titles that store cookie information in the browser's history; and, most impressively of all, a cookie in the form of specific RGB values in an auto-generated PNG, which is forced into cache and read back using HTML5's Canvas tag.

If that list isn't impressive enough, Kamkar is also looking to add more vectors to the list, including Silverlight's Isolated Storage and HTTP ETags.

The insidious nature of the Evercookie is that it only takes a single element to remain, and the next time an Evercookie-enabled site is visited, all elements will be recreated with the original tracking information intact.

Currently, that information is limited to a single value between one and 1,000 - not enough for individual tracking applications. Kamkar, however, has released the source code for the project, meaning that anyone wanting to track users can start to use the techniques he has developed immediately.

Clearly, Kamkar's creation has major implications for privacy although he states that "I've found that using Private Browsing in Safari will stop ALL evercookie methods after a browser restart." It's likely that advertisers will start to pick up Kamkar's techniques soon, and as more vectors are added to the Evercookie, it will become harder to avoid its tracking.

Are you shocked that someone would work on such a privacy-destroying creation, or merely disappointed that anyone would think the Evercookie was a good idea? Share your thoughts over in the forums.

48 Comments

Discuss in the forums Reply
mi1ez 23rd September 2010, 10:13 Quote
Nice to know security researchers are helping to protect us all.
/sarcasm
mattbailey 23rd September 2010, 10:16 Quote
Just because it could be done, doesnt mean it should be done!

His site says "... PRIVACY CONCERN! How do I stop websites from doing this?
Great question. So far, I've found that using Private Browsing
in Safari will stop ALL evercookie methods after a browser restart."

What if I dont want to use Safari? :?

Not impressed, and what a pointless API for the consumer, great for advertisers, and intelligence use - thanks for that! :(
CAPSLOCK 23rd September 2010, 10:19 Quote
What a d***.
liratheal 23rd September 2010, 10:23 Quote
Thanks. Douche.
BentAnat 23rd September 2010, 10:25 Quote
Yes, releasing it into public is a bit of an ***hole move.
His research shows that it is possible, though, and that in itself is interesting. I am sure that browser developers are taking this VERY seriously and increasing security in their upcoming releases as a consequence. Pr0n mode will soon cripple the approach in all new browsers.
msm722 23rd September 2010, 10:26 Quote
Next he will release code to steal all your credit card info and send it to Nigeria.
minimad127 23rd September 2010, 10:31 Quote
well this could increase the use of virtual machines for browsing with a clean image start each time
mclean007 23rd September 2010, 10:43 Quote
Quote:
Originally Posted by minimad127
well this could increase the use of virtual machines for browsing with a clean image start each time
Maybe, but that's a bit of a sledgehammer to crack a nut approach - sometimes you actually *want* some degree of persistence between browser sessions, which is why history, autocomplete etc. were implemented in the first instance. My preference is a strategy involving a combination of Adblock, Noscript and tight browser security settings, with whitelists for trusted sites on each. That seems to work adequately, but there are a lot of vectors listed above that I'm not 100% convinced would be stopped by this method.

Another point is that, with modern "always-on" broadband connections, most people will find that their router is rarely if ever allocated a new IP address - though they may technically be dynamic, to all intents and purposes a server can assume a lot of the time that the same IP address means the same router (not necessarily the same machine, as multiple machines behind one router will share the same public IP address). This means in principle a technique like Evercookie could be extended to track users on the server side by IP address, and use that as another tracking vector even if they did use a VM or even clean installed their OS. You could even track across multiple machines behind the same router, which has huge security implications.
infi 23rd September 2010, 10:58 Quote
Quote:
Originally Posted by mclean007
whitelists

yep, that's the magic word, don't allow ANYTHING unless you specifically trust it.
Xir 23rd September 2010, 11:37 Quote
I'm glad he relaesed it.
Tear it into the open so a reaction from OS and Browsermanfacturers is forced. More or less a standart procedure.
Hiren 23rd September 2010, 11:41 Quote
This will certaintly help me track how sucessfull our ad campaigns are.
BentAnat 23rd September 2010, 11:48 Quote
Quote:
Originally Posted by Xir
I'm glad he relaesed it.
Tear it into the open so a reaction from OS and Browsermanfacturers is forced. More or less a standart procedure.
^^ this!
javaman 23rd September 2010, 12:23 Quote
Big Brother strikes again! Surely you would need permission from the user to collect such data or is it a legal grey area?
BRAWL 23rd September 2010, 12:32 Quote
I believe Russell Howards Brighton Show justifies this with the prefix of "Just because you can, doesn't mean you should"

"It's legal... it's legal.... So is waking your nan up dressed as Hitler... Have some moral decorum"

Fantastic, but I do give it a few weeks before someone invents "THE EVERCOOKIE PURGEBUSTERLOLZOOKA101" program that totally annihlates the use of an Evercookie.
Instagib 23rd September 2010, 12:38 Quote
How long until someone incorporates this into a virus that can't be purged?
Phil Rhodes 23rd September 2010, 12:48 Quote
This would unfortunately be another reason that a flash blocker is essential equipment.
impar 23rd September 2010, 13:09 Quote
Greetings!
Quote:
Originally Posted by Phil Rhodes
This would unfortunately be another reason that a flash blocker is essential equipment.
You read the article?
This Super-cookie can use Flash, HTML5, SQLite, PNG, etc...
ch424 23rd September 2010, 13:30 Quote
I'm sure it's not hard to find its signatures and adbock will catch up soon enough.
PingCrosby 23rd September 2010, 13:30 Quote
mmmmmmm a cookie that lasts forever...I'll have two please.
DragunovHUN 23rd September 2010, 13:36 Quote
**** you, mister Kamkar.
eddtox 23rd September 2010, 13:46 Quote
DO NOT WANT!
SNIPERMikeUK 23rd September 2010, 13:48 Quote
eSCUM Bags....
blink 23rd September 2010, 14:40 Quote
Seriously, what an asshole.
AstralWanderer 23rd September 2010, 14:50 Quote
Quote:
Originally Posted by
I would suggest that a bigger threat is browser fingerprinting, since that doesn't require any information to be stored on the user's PC. See EFF's Primer on Information Theory and Privacy for more details.

The only way to avoid this would be to use a proxy server in conjunction with a web filter - connecting via the Tor network using Firefox with the TorButton extension (which includes filtering measures to block such tracking) would be the easiest option for most.

Nonetheless, having this technique publicised is good - odds are that an advertiser/marketer out there is already using it, so knowing how to defeat it is in the public interest.
Fabou 23rd September 2010, 15:24 Quote
Guy's I found a solution. Just do an OS reinstall after going on the web.
Seriously finding this is not something to be proud. The only good point is that thank to the available source code maybe somebody will a way of protecting private our private life against this.
Fizzl 23rd September 2010, 15:32 Quote
What... so you guys don't browser in a secure VM with a virtual hard drive that gets purged when you restart it? For shame!
eddtox 23rd September 2010, 16:00 Quote
Assume no privacy. Ever.
l3v1ck 23rd September 2010, 19:29 Quote
Quote:
Are you shocked that someone would work on such a privacy-destroying creation, or merely disappointed that anyone would think the Evercookie was a good idea?
Both.
jimmyjj 23rd September 2010, 20:38 Quote
Quote:
Originally Posted by liratheal
Thanks. Douche.

This.
Timmy_the_tortoise 23rd September 2010, 20:49 Quote
Quote:
Originally Posted by blink
Seriously, what an asshole.

Agreed. What does he think he's doing?!?!
enciem 23rd September 2010, 23:04 Quote
Quote:
Originally Posted by Timmy_the_tortoise
Quote:
Originally Posted by blink
Seriously, what an asshole.

Agreed. What does he think he's doing?!?!

Increasing awareness of the security flaws in browers would be my guess.

Seriously though, why does anyone care. Your filmed on loads of cameras everyday, every time you swipe your card your spending patterns and movements are monitored, your channel viewing habits can be traced, your IP address follows you everywhere you go, but very few of us are important enough for anyone to really care what we do, it just doesn't matter. If you are important enough, then there's a whole bunch of other stuff monitoring you that you should be more worried about.
malcolm 23rd September 2010, 23:10 Quote
Pfft.... this has been done for a while now, it's only the large amount of vectors that makes this newsworthy. Not only that, you remember the identify a unique browser thing a short while back? Yeah... that's been integrated into techniques like this too. It's kind of funny seeing you all go wah wah over this, there are much worse things afoot, if only you knew.
LordPyrinc 23rd September 2010, 23:47 Quote
More likely he is looking for publicity. So far I'd say he's been succesful in that respect.
Timmy_the_tortoise 24th September 2010, 00:35 Quote
Quote:
Originally Posted by enciem
Quote:
Originally Posted by Timmy_the_tortoise
Quote:
Originally Posted by blink
Seriously, what an asshole.

Agreed. What does he think he's doing?!?!

Increasing awareness of the security flaws in browers would be my guess.

Seriously though, why does anyone care. Your filmed on loads of cameras everyday, every time you swipe your card your spending patterns and movements are monitored, your channel viewing habits can be traced, your IP address follows you everywhere you go, but very few of us are important enough for anyone to really care what we do, it just doesn't matter. If you are important enough, then there's a whole bunch of other stuff monitoring you that you should be more worried about.

I'm not bothered about the privacy issues. I'm not that bothered who has my details or sees me walking through the street... I have nothing to hide.

It's the possibility of it being used for malicious purposes that I don't like... Something that can potentially harm my PC to the point of it being unusable, as well as being un-deletable? NO. THANK YOU.
ramliz 24th September 2010, 00:41 Quote
I only use internet for bit-tech, games and pron got NOTIN to hide!
Wolfe 24th September 2010, 00:51 Quote
Opera's "Private Browsing" mode seems to beat this as well, without having to restart to clear everything.
general22 24th September 2010, 01:08 Quote
I like some of the responses on this page calling him a douche etc. Perhaps you idiots would prefer the web browser developers to have no clue about these methods and no code to analyse?

Most of these methods are probably already being employed anyway so I suppose we should just stick our heads in the sand and ignore the problem.
dyzophoria 24th September 2010, 02:22 Quote
for the developers it "may" be good, but he also has potentially given it to people who will actually abuse it. imo there are other ways he could have voiced out these issues with developers rather than distributing sample code.
SaNdCrAwLeR 24th September 2010, 10:21 Quote
Quote:
Originally Posted by dyzophoria
for the developers it "may" be good, but he also has potentially given it to people who will actually abuse it. imo there are other ways he could have voiced out these issues with developers rather than distributing sample code.

the only real way you'll get people to look into things like this in terms of security is if you publish data to the public...
think it isn't? look at Microsoft and several other companies, most of the time when some sort of nasty "bug" comes out they had already been warned months if not up to a year in advance, they only end up working on it when it's out there...
this guy did a good thing, he's putting pressure on the developers to make sure that the public is safe from something like this in a propper time.
hyperion 24th September 2010, 11:37 Quote
Like a slave who offers his master a brand new cane.
dyzophoria 24th September 2010, 12:21 Quote
Quote:
Originally Posted by SaNdCrAwLeR
Quote:
Originally Posted by dyzophoria
for the developers it "may" be good, but he also has potentially given it to people who will actually abuse it. imo there are other ways he could have voiced out these issues with developers rather than distributing sample code.

the only real way you'll get people to look into things like this in terms of security is if you publish data to the public...
think it isn't? look at Microsoft and several other companies, most of the time when some sort of nasty "bug" comes out they had already been warned months if not up to a year in advance, they only end up working on it when it's out there...
this guy did a good thing, he's putting pressure on the developers to make sure that the public is safe from something like this in a propper time.

you have a point, I just dont like end users taking the hit for it first, that's all,lol
Micky999 25th September 2010, 00:58 Quote
It's beatable, because that's how it works, someone makes something that's a bit arsey, another figures how to destroy it, and they eventually do!

This will not last long.
Phoenixlight 24th November 2010, 00:19 Quote
What the **** was the point in making that? it's like making a virus then saying to everyone "hey look at this cool thing I made for your computers"...
Cthippo 26th November 2010, 02:06 Quote
If it can be done it will be done, such is human nature.

I'd rather this be released as an open source proof of concept so that it can be dealt with proactively than show up as an actual exploit and then have everyone scrambling to respond to it afterwords.
thehippoz 26th November 2010, 02:29 Quote
just run a script to erase all of the relevant directories on login.. done :D

been doing that for long time.. remember years back even, guys used to think they were clean running private browsing in firefox.. you look in their flash cache and see horsescocks.com and rogain.com

the only deal running scripts is windows 7 64 bit has issues running certain programs as admin through the task scheduler- found that if you launch a cmd in admin using the scheduler instead, and sendkeys running whatever you need run and exit (a vb script ect..) you get by those limits

vista had the same sort of quirks so it was easy to implement in 7.. they are almost the same.. if someone put a supercookie on me- it wouldn't stick around more than a day, 1am to be exact!

here are all the directories you need to clean with firefox.. substitute the xxxx's
Code:
target = "C:\Users\Mr. Burns\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys"
target1 = "C:\Users\Mr. Burns\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\{XXXXXXXX}"
target2 = "C:\Users\Mr. Burns\AppData\Local\Mozilla\Firefox\Profiles\{xxxxxxxx}.default"

target3 = "C:\Users\{USER}\AppData\Local\Temp\*.*" 
Phoenixlight 26th November 2010, 14:31 Quote
Quote:
Originally Posted by thehippoz
just run a script to erase all of the relevant directories on login.. done :D

been doing that for long time.. remember years back even, guys used to think they were clean running private browsing in firefox.. you look in their flash cache and see horsescocks.com and rogain.com

the only deal running scripts is windows 7 64 bit has issues running certain programs as admin through the task scheduler- found that if you launch a cmd in admin using the scheduler instead, and sendkeys running whatever you need run and exit (a vb script ect..) you get by those limits

vista had the same sort of quirks so it was easy to implement in 7.. they are almost the same.. if someone put a supercookie on me- it wouldn't stick around more than a day, 1am to be exact!

here are all the directories you need to clean with firefox.. substitute the xxxx's
Code:
target = "C:\Users\Mr. Burns\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys"
target1 = "C:\Users\Mr. Burns\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\{XXXXXXXX}"
target2 = "C:\Users\Mr. Burns\AppData\Local\Mozilla\Firefox\Profiles\{xxxxxxxx}.default"

target3 = "C:\Users\{USER}\AppData\Local\Temp\*.*" 

Sorry for being a noob but I'm guessing you put the code into notepad and put the user account name where the X's are? and what lines of code do you need above and below what you posted to make it run?
thehippoz 26th November 2010, 18:05 Quote
go into those directories and replace the xxxx's with whatever you need to, it'll be different for everyone.. and the user name {USER} and Mr. Burns above

here's the rest of the code
Code:
on error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")

    fso.DeleteFolder target
    fso.DeleteFolder target1
    fso.DeleteFolder target2
            WScript.Sleep 5000
    fso.CreateFolder target
    fso.CreateFolder target1
    fso.CreateFolder target2

Const DeleteReadOnly = True
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile(target3), DeleteReadOnly
Phoenixlight 27th November 2010, 15:52 Quote
Quote:
Originally Posted by thehippoz
go into those directories and replace the xxxx's with whatever you need to, it'll be different for everyone.. and the user name {USER} and Mr. Burns above

here's the rest of the code
Code:
on error Resume Next
Set fso = CreateObject("Scripting.FileSystemObject")

    fso.DeleteFolder target
    fso.DeleteFolder target1
    fso.DeleteFolder target2
            WScript.Sleep 5000
    fso.CreateFolder target
    fso.CreateFolder target1
    fso.CreateFolder target2

Const DeleteReadOnly = True
Set objFSO = CreateObject("Scripting.FileSystemObject")
objFSO.DeleteFile(target3), DeleteReadOnly

Ok thanks ;)
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums