> >

Post New Thread  Reply
Thread Tools
Old 09-23-10, 09:34 AM   #1

Join Date: Aug 2009
Posts: 32,750
Default 'Evercookie' is one cookie you don't want to bite

A new software cookie called "evercookie," that apparently cannot be deleted, has been created by a hacker who has been in the news before.

"Awesome" and "frightening" have been the two most common reactions on Twitter and in the tech world Wednesday, as word went forth about the Web browser-based cookie, first reported by Sebastian Anthony of DownloadSquad dot com:
"As the name suggests, deleting an evercookie isn't easy — in fact, once you've taken a nibble, that's it: you can't delete it. Of course, no benevolent person would ever use evercookie — you'd have to be a nefarious money-grabbing megalomaniac! — but the sheer number of clever hacks, cheap tricks and snarky ingenuity employed to make evercookies invulnerable makes this project very interesting indeed."

Evercookie, Anthony wrote, "uses eight different storage locations for its cookie, ranging from HTTP and Flash cookies through to HTML5's new storage methods and 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' (really!).
"If the cookie can be found in any one of those locations, it can be rebuilt (and then stored in all eight places again!) Basically, unless you know exactly what you're doing (and you have a lot of spare time to hunt down all of the cookies), you can forget about ever deleting an evercookie."
The cookie's creation is particularly jarring considering the hack that created problems Tuesday for Twitter users, as well as "Flash cookies," described by The New York Times as "a little-known piece of computer code placed on hard drives by the Flash program from Adobe when users watch videos on popular Web sites like YouTube and Hulu." Several lawsuits have been filed against media and technology companies that use such cookies.

Samy Kamkar, who created evercookie, describes it as a JavaScript API (application programming interface) that "produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (LSOs), and others."
Kamkar is known for some of his previous work, including creating a worm in 2005 that netted him 1 million friends overnight on MySpace, according to CNET, which also interviewed Kamkar earlier this year when he "created a program that can be used to intercept Google Maps on a hijacked iPhone."
Lucian Constantin, writing on Softpedia, said "there are currently several class action lawsuits pending against media and entertainment companies, who allegedly abused Flash Local Shared Objects (LSO) to re-spawn cookies deleted via the browser. Evercookie is a proof-of-concept tool that does exactly that — it makes sure deleted cookies can be re-created if deleted by storing them in numerous places."

Security experts said Wednesday they are not immediately concerned about evercookie.

"I don't think this will impact the average user much," said Johannes Ullrich, chief research officer for the SANS Institute, a national organization that does information security training, research and certification. "It only matters if you try to retain some privacy by deleting your cookies regularly. Only few users even try."
Richard Wang, SophosLab manager in the United States, agreed, saying, "Most people don’t clear out their cookies anyway. It will affect those who are privacy conscious enough to delete their cookies, but do not have the technical tools to clean up all the other locations that evercookie uses. They will lose their ability to avoid tracking until the browser makers or add-on providers enhance their cleanup to include these types of data."
InformationWeek columnist Jim Rapoza wrote Wednesday that the cookie is "beyond the abuse of privacy." First, he said, "it resists the will of the user. If someone takes the time to go into their browser settings and delete the cookie for Scumbag Networks, then those cookies should disappear. By explicitly ignoring the user's request, evercookies are no better than an Uninstall program that not only doesn't uninstall the app but also adds new applications (including spyware)."
Rapoza said that "it's only a matter of time until some of the popular privacy tools and hopefully the browsers themselves, are able to fully remove evercookies. And while it's not totally clear right now, there's good evidence that browser-extensions like NoScript should be able to stop evercookies."

plasty is offline  
Old 09-23-10, 11:42 AM   #2
The Long Winded One

Join Date: May 2009
Location: Not really sure, I'm not fond of going outside. Suffice to say it's on Earth.
Posts: 279
More of that convenient evidence of cyber terrorism we keep seeing.
Agent_Zero is offline   Reply With Quote
Old 09-23-10, 01:45 PM   #3
Join Date: Mar 2009
Posts: 288
Long live the evercookie.
FreddyC is offline   Reply With Quote
Old 09-23-10, 05:02 PM   #4
Join Date: Aug 2010
Posts: 356
How meny times have you not heard from some hacker or viral creator who now has created a new tool to infiltrate computers ?
But interesting that NoScipt is mentioned as a blocker for it, already got that one in my Firefox.

Last edited by Persen; 09-23-10 at 05:09 PM. Reason: added text
Persen is offline   Reply With Quote
Old 09-23-10, 09:45 PM   #5
Join Date: Mar 2009
Location: Final Stage
Posts: 748
These types of cookies would be in dodgy sites I believe, not your regular sites..
kumachanAE86 is offline   Reply With Quote

Thread Tools

All times are GMT -7. The time now is 12:24 AM.