Evercookie will track you down
Kamkar's Evercookie resists deletion - and can even track you between different browsers.
Using a raft of techniques, Kamkar is able to generate a series of cookies that can survive multiple purges and even track a user between browsers.
The Evercookie works by creating a series of linked cookies using a variety of different storage methods: standard HTTP cookies, which can be cleared from the browser; Local Shared Objects via Flash, which only operate when a Flash plug-in is installed but require a separate clean-up and which can be detected from any Flash-enabled browser; HTML5's session storage, local storage, global storage, and database storage via SQLite; cleverly manipulated page titles that store cookie information in the browser's history; and, most impressively of all, a cookie in the form of specific RGB values in an auto-generated PNG, which is forced into cache and read back using HTML5's Canvas tag.
If that list isn't impressive enough, Kamkar is also looking to add more vectors to the list, including Silverlight's Isolated Storage and HTTP ETags.
The insidious nature of the Evercookie is that it only takes a single element to remain, and the next time an Evercookie-enabled site is visited, all elements will be recreated with the original tracking information intact.
Currently, that information is limited to a single value between one and 1,000 - not enough for individual tracking applications. Kamkar, however, has released the source code for the project, meaning that anyone wanting to track users can start to use the techniques he has developed immediately.
Clearly, Kamkar's creation has major implications for privacy although he states that "I've found that using Private Browsing in Safari will stop ALL evercookie methods after a browser restart." It's likely that advertisers will start to pick up Kamkar's techniques soon, and as more vectors are added to the Evercookie, it will become harder to avoid its tracking.
Are you shocked that someone would work on such a privacy-destroying creation, or merely disappointed that anyone would think the Evercookie was a good idea? Share your thoughts over in the forums.
Previous Article
48 Comments
Discuss in the forums Reply/sarcasm
His site says "... PRIVACY CONCERN! How do I stop websites from doing this?
Great question. So far, I've found that using Private Browsing
in Safari will stop ALL evercookie methods after a browser restart."
What if I dont want to use Safari? :?
Not impressed, and what a pointless API for the consumer, great for advertisers, and intelligence use - thanks for that! :(
His research shows that it is possible, though, and that in itself is interesting. I am sure that browser developers are taking this VERY seriously and increasing security in their upcoming releases as a consequence. Pr0n mode will soon cripple the approach in all new browsers.
Another point is that, with modern "always-on" broadband connections, most people will find that their router is rarely if ever allocated a new IP address - though they may technically be dynamic, to all intents and purposes a server can assume a lot of the time that the same IP address means the same router (not necessarily the same machine, as multiple machines behind one router will share the same public IP address). This means in principle a technique like Evercookie could be extended to track users on the server side by IP address, and use that as another tracking vector even if they did use a VM or even clean installed their OS. You could even track across multiple machines behind the same router, which has huge security implications.
yep, that's the magic word, don't allow ANYTHING unless you specifically trust it.
Tear it into the open so a reaction from OS and Browsermanfacturers is forced. More or less a standart procedure.
"It's legal... it's legal.... So is waking your nan up dressed as Hitler... Have some moral decorum"
Fantastic, but I do give it a few weeks before someone invents "THE EVERCOOKIE PURGEBUSTERLOLZOOKA101" program that totally annihlates the use of an Evercookie.
This Super-cookie can use Flash, HTML5, SQLite, PNG, etc...
The only way to avoid this would be to use a proxy server in conjunction with a web filter - connecting via the Tor network using Firefox with the TorButton extension (which includes filtering measures to block such tracking) would be the easiest option for most.
Nonetheless, having this technique publicised is good - odds are that an advertiser/marketer out there is already using it, so knowing how to defeat it is in the public interest.
Seriously finding this is not something to be proud. The only good point is that thank to the available source code maybe somebody will a way of protecting private our private life against this.
This.
Agreed. What does he think he's doing?!?!
Increasing awareness of the security flaws in browers would be my guess.
Seriously though, why does anyone care. Your filmed on loads of cameras everyday, every time you swipe your card your spending patterns and movements are monitored, your channel viewing habits can be traced, your IP address follows you everywhere you go, but very few of us are important enough for anyone to really care what we do, it just doesn't matter. If you are important enough, then there's a whole bunch of other stuff monitoring you that you should be more worried about.
I'm not bothered about the privacy issues. I'm not that bothered who has my details or sees me walking through the street... I have nothing to hide.
It's the possibility of it being used for malicious purposes that I don't like... Something that can potentially harm my PC to the point of it being unusable, as well as being un-deletable? NO. THANK YOU.
Most of these methods are probably already being employed anyway so I suppose we should just stick our heads in the sand and ignore the problem.
the only real way you'll get people to look into things like this in terms of security is if you publish data to the public...
think it isn't? look at Microsoft and several other companies, most of the time when some sort of nasty "bug" comes out they had already been warned months if not up to a year in advance, they only end up working on it when it's out there...
this guy did a good thing, he's putting pressure on the developers to make sure that the public is safe from something like this in a propper time.
you have a point, I just dont like end users taking the hit for it first, that's all,lol
This will not last long.
I'd rather this be released as an open source proof of concept so that it can be dealt with proactively than show up as an actual exploit and then have everyone scrambling to respond to it afterwords.
been doing that for long time.. remember years back even, guys used to think they were clean running private browsing in firefox.. you look in their flash cache and see horsescocks.com and rogain.com
the only deal running scripts is windows 7 64 bit has issues running certain programs as admin through the task scheduler- found that if you launch a cmd in admin using the scheduler instead, and sendkeys running whatever you need run and exit (a vb script ect..) you get by those limits
vista had the same sort of quirks so it was easy to implement in 7.. they are almost the same.. if someone put a supercookie on me- it wouldn't stick around more than a day, 1am to be exact!
here are all the directories you need to clean with firefox.. substitute the xxxx's
target = "C:\Users\Mr. Burns\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys" target1 = "C:\Users\Mr. Burns\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\{XXXXXXXX}" target2 = "C:\Users\Mr. Burns\AppData\Local\Mozilla\Firefox\Profiles\{xxxxxxxx}.default" target3 = "C:\Users\{USER}\AppData\Local\Temp\*.*"Sorry for being a noob but I'm guessing you put the code into notepad and put the user account name where the X's are? and what lines of code do you need above and below what you posted to make it run?
here's the rest of the code
on error Resume Next Set fso = CreateObject("Scripting.FileSystemObject") fso.DeleteFolder target fso.DeleteFolder target1 fso.DeleteFolder target2 WScript.Sleep 5000 fso.CreateFolder target fso.CreateFolder target1 fso.CreateFolder target2 Const DeleteReadOnly = True Set objFSO = CreateObject("Scripting.FileSystemObject") objFSO.DeleteFile(target3), DeleteReadOnlyOk thanks ;)