"Awesome" and "frightening" have been the two most common reactions on Twitter and in the tech world Wednesday, as word went forth about the Web browser-based cookie, first reported by Sebastian Anthony of DownloadSquad dot com:
"As the name suggests, deleting an evercookie isn't easy — in fact, once you've taken a nibble, that's it: you can't delete it. Of course, no benevolent person would ever use evercookie — you'd have to be a nefarious money-grabbing megalomaniac! — but the sheer number of clever hacks, cheap tricks and snarky ingenuity employed to make evercookies invulnerable makes this project very interesting indeed."
Evercookie, Anthony wrote, "uses eight different storage locations for its cookie, ranging from HTTP and Flash cookies through to HTML5's new storage methods and 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' (really!).
"If the cookie can be found in any one of those locations, it can be rebuilt (and then stored in all eight places again!) Basically, unless you know exactly what you're doing (and you have a lot of spare time to hunt down all of the cookies), you can forget about ever deleting an evercookie."
The cookie's creation is particularly jarring considering the hack that created problems Tuesday for Twitter users, as well as "Flash cookies," described by The New York Times as "a little-known piece of computer code placed on hard drives by the Flash program from Adobe when users watch videos on popular Web sites like YouTube and Hulu." Several lawsuits have been filed against media and technology companies that use such cookies.
Kamkar is known for some of his previous work, including creating a worm in 2005 that netted him 1 million friends overnight on MySpace, according to CNET, which also interviewed Kamkar earlier this year when he "created a program that can be used to intercept Google Maps on a hijacked iPhone."
Lucian Constantin, writing on Softpedia, said "there are currently several class action lawsuits pending against media and entertainment companies, who allegedly abused Flash Local Shared Objects (LSO) to re-spawn cookies deleted via the browser. Evercookie is a proof-of-concept tool that does exactly that — it makes sure deleted cookies can be re-created if deleted by storing them in numerous places."
Security experts said Wednesday they are not immediately concerned about evercookie.
"I don't think this will impact the average user much," said Johannes Ullrich, chief research officer for the SANS Institute, a national organization that does information security training, research and certification. "It only matters if you try to retain some privacy by deleting your cookies regularly. Only few users even try."
Richard Wang, SophosLab manager in the United States, agreed, saying, "Most people don’t clear out their cookies anyway. It will affect those who are privacy conscious enough to delete their cookies, but do not have the technical tools to clean up all the other locations that evercookie uses. They will lose their ability to avoid tracking until the browser makers or add-on providers enhance their cleanup to include these types of data."
InformationWeek columnist Jim Rapoza wrote Wednesday that the cookie is "beyond the abuse of privacy." First, he said, "it resists the will of the user. If someone takes the time to go into their browser settings and delete the cookie for Scumbag Networks, then those cookies should disappear. By explicitly ignoring the user's request, evercookies are no better than an Uninstall program that not only doesn't uninstall the app but also adds new applications (including spyware)."
Rapoza said that "it's only a matter of time until some of the popular privacy tools and hopefully the browsers themselves, are able to fully remove evercookies. And while it's not totally clear right now, there's good evidence that browser-extensions like NoScript should be able to stop evercookies."
Code: Select All