James O'Neill's Blog

February 19, 2010

The Zombie cookie apocalypse (or how flash bypasses privacy)

Filed under: Internet Explorer,Security and Malware — jamesone111 @ 10:48 am

Earlier this week I went to “Oxford Geek Night” and the title of one of title of one of the sessions was “The Zombie Cookie apocalypse” delivered by David Sheldon (I wish his slides were on-line so you could read more and I could give him a proper credit), it wasn’t the only informative session – there were bunch of those -  but it was one which sent me away thinking “I should have known that”.

Here’s the Gist. We all know about cookies, the little bits of information which web sites send to to your browser to make applications work, or to follow you round the web. Even IE6 knew that cookies could be bad and could reject the tracking ones. Adobe Flash keeps its own cookies, which bypass the normal rules.
Although it doesn’t seem to widely known (I was in a roomful of people where internet expertise was the top skill, and no one seemed to have heard of this before) – it is reasonably well documented – often using Adobe’s name of “Local stored objects. You can read more information in Wikipedia’s dispassionate style, or you can have it in they’ll suck out your brains style if you prefer (of course you do !)

This has 3 main impacts.

  1. If you run different browsers – say IE and Firefox (the demo I saw used Firefox and Chrome on Linux) each browser maintains (and can clear) its own Cookie store, so you can have different personas by using different browsers: but Flash is Flash wherever it runs so it uses a single store.
  2. Browsers don’t know about information held by add-ins (Flash or anything else) so it can’t clear their information. You might think you’ve killed off the cookies but flash ones will keep coming back (hence the Zombie reference).
  3. IE8 has “In Private Browsing”, so do Firefox and Chrome (I think chrome talks about Incognito Windows) .Adobe announced support for private modes recently, (you can read the IE team’s take on the this) but if you are running a version before 10.1 – and as I type this the current download is, so you are running something before 10.1 -  it uses the same store for browsing in Private that it uses for ordinary Browsing, and doesn’t clear cookies afterwards.

I thought “the handful of sites where I use In-Private Browsing aren’t flash sites.”, the flash handling the cookie is not always visible. When I did a quick search I found something from the Electronic Privacy Information Center which quotes one tracking platform vendor as saying "All advertisers, websites and networks use cookies for targeted advertising, but cookies are under attack. According to current research they are being erased by 40% of users creating serious problems.". Indeed: as EPIC puts a little later “By deleting cookies, consumers are clearly rejecting attempts to track them. Using an obscure technology to subvert these wishes is a practice that should be stopped”

So: How do you see, clear and block/allow Flash Cookies ? That announcement from Adobe suggests that in 10.1 you will be able to this by right clicking on flash in the browser and going to settings. Until you get 10.1, you have to visit a page on Adobe’s site –which isn’t espcially easy to find. 


Clearing the information from my computer I made a note of some of the sites which were leaving information on my PC which I was certain I hadn’t visited and got a little PowerShell script to get the title from their home page. (Which worked for most sites, some take a little fiddling). Here are the names and descriptions.

atdmt.com Atlas Solutions – Online Advertising: Advertiser and Publisher Ad Serving Solutions
Clearspring.com Your Content. Everywhere -connecting online publishers and advertisers to audiences on the social web.
feedjit.com Live Traffic Feed & Other Awesome Widgets
flashTalking.com Video and Rich Media Adserving
gigya.com Social Optimization for Online Business
ooyala.com Video Platform, Analytics and Advertising
quantServe.com It’s your audience. We just find it.™
tubemogul.com In-Depth Tracking, Analytics for Online Video | Web Video Syndication
videoegg.com VideoEgg "innovative ad products"
visiblemeasures.com Measure Online Video Advertising
http://www.vizu.com Digital Brand Advertising Measurement. Market Research.

You can see what business they are all in. I’ve added them to my list of sites blocked by InPrivate Filtering. Which reminds me, I must post part 2 of that.

This post originally appeared on my technet blog.

Create a free website or blog at WordPress.com.

%d bloggers like this: