Flash ‘Cookies’, a hidden bane

July 28, 2008 at 09:57 | Posted in Privacy/Security | 22 Comments
Tags: , , , , ,

—- N.B.

I have made several updates to this post as I have noticed continued interest in it.

There is follow up to this in the comments below for those looking for a way to delete Flash cookies. I’ll be posting an windows bat file to do about the same soon. There is now a link in the sidebar to the right to downloadable versions of the LSO (Flash Cookie) removal scripts one for XP and one for Linux. I have yet to find a functional way to stop the cookies from being set as it seems blocking them seriously messes with some sites functionality.

There is another privacy bane on the net. “Flash Cookies”, or technically “local Shared Objects”. There is a good explanation of them on this Blog and also a link to the Adobe Flash Settings Manager which will let you manage them think you are managing them. These “cookies” are not cleared when you clear you browser’s cookies, are not stopped by telling your browser to prevent cookies, are not stopped by normal cookie managers. You currently have to use the Settings manager, or root them out and delete them manually.

you can go to the Settings manager and dong the following:

– Setting the default storage size to 0 (none) on the “Global Storage Settings” tab

– Unchecking “Allow third-parties Flash content to store data on your computer”

– Unchecking “Store common Flash components to reduce download time”

– Check “Never Ask Again” (some sites manage to ignore this.. but see below)

(bare in mind that I am draconian about my privacy, and would rather have things asking me for permission all the time rather then doing things without asking. You can, of course, set things to you own liking.)

— It has been pointed out that the above has little permanent effect as there seems to be little or no enforcement of the above settings and sites go ahead and store LSO’s even with the limit set to 0 —

– Bookmark the settings manager (you’ll want to come back to it now and then)

If a site is annoying about asking for storage go to the Settings manager from a new browser tab or window and use the “Website Storage Settings” tab in the Settings manager to tell the site to never ask again.

You can also use the “Website Storage Settings” to allow sites that you want/need to save data and limit how much they can store.

If ever there was a good reason for using NoScript, (which prevents flash and other things from running without permission) this is one. (of many)

— I strongly recommend the use of NoScript as an increasing number of sites have started using flash “web beacons” to track people (they hide a transparent 1×1 flash object on the webpage just so they can set an LSO (flash cookie) —

Good day, And happy and safe surfing.

Advertisements

22 Comments

  1. Changing settings at the Adobe site does NOT keep Flash Cookies off your hard drive. We’ve told Flash NOT to store cookies repeatedly, but it keeps doing so anyway.

    Just do a search for *.sol on your hard drive and you’ll be amazed & chagrined to see all the secret Flash Cookies on your machine.

    People should be complaining loudly to Adobe/macromedia and insist that they issue a patch for FlashPlayer that puts ALL AUTHORITY strictly into the hands of the end-user for managing, deleting, and blocking ALL Flash Cookies and doing so PERMANENTLY.

    Thanks for listening. Now please contact Adobe and sincerely and fervently request the above changes, for all our sakes. For Adobe to be doing this surreptitious cookieing behind our backs is dishonest and reprehensible. It needs to STOP!

    Please also educate all your friends & family about these invasive Flash Cookies. Thanks again.

  2. Thanks for the info. Did some checking and “Just Me” is correct.. Flash cookies are still getting set. Even when you tell it no, NO, NOOOOOO!!
      
    Linux Users can use the script below to clear out the cookies.

    #!/bin/bash
    #
    # remove @%$$#!!!! Flash cookies
    echo "blowing away FlashPlayer Settngs and cookies"
    rm -R ~/.macromedia/Flash_Player/

      
      
    This script is a little strong in that it Blows away the flash_player settings too.. but since things are ignoring them anyways..
      
    If you want to just blow away the cookies:
      
    rm -R ~/.macromedia/Flash_Player/#SharedObjects
      
    To be Really, Really sure:
      
    rm -R ~/.macromedia/
      
    If you click through to the Blog I mention that explains the Flash cookies.. there are suggestions in the comment section of how Windows users can delete the cookies.
      
    I tried setting a file #SharedObjects where the folder should be and setting it read only but that caused certain sites to malfunction badly (it did however prevent any cookies being set)

  3. […] that I have pointed out to them in the past, is that they insist on using LSO’s (”Flash cookies“) to record a persons log-in state. This is a nightmare from a security standpoint, […]

  4. […] does not store the log-in state in LSO’s in fact their use of LSO’s is […]

  5. […] tags, tracking bugs, etc are tiny 1×1 pixel images (gif, jpg, png, tif, etc) (and increasingly Flash objects) that companies put into websites or e-mails to track where, when, and by whom they are viewed. On […]

  6. […] | In Tech | Just a short entry to let people (RSS) know that I’ve made updates to My “Flash ‘Cookies’, a hidden bane” entry and also put a link in the Side Bar to downloadable Flash LSO (cookie) removal […]

  7. Aren’t they total bastards! I have all the browser safety features inc. Firefox with NoScript, TACO, TrackMeNot, Adblock Plus etc., etc. Also a virtual browser. But still they manage to get through to my machine?

    All these advertising and marketing jerks are criminals. I fail to understand how all the underhand dealings they do don’t get them in prison. Seriously.

    It’s far more than a question of ethics when they go stealing info. and spying on everyone like they do.

    • Governments are just starting to take a look into this. The Google/DoubleClick merger raised their attention level and the public outcry over the antics of the likes of Phorm and NebuAd also got governments attention. The problem is not enough people bitch to their representative (congresperson, MPP, etc) about it.

      For stopping Flash cookies (LSO’s) there is a nice plug-in called Objection. However setting it so it blocks all LSO’s breaks many sites so the current best option is to set Objection to block as much as it can without breakig stuff and then delete the LSO’s regularly. Either with objection, the scripts I provide or something similar.

  8. Could the reason that insufficient people complain be that they’re just unaware of LSO’s? I’m an average end-user of a PC who has been online for 4 years, but only in the past couple of days have I got to know about them! I discovered the Firefox add-on Better Privacy a couple of days ago, hence…. Thanks for the info. re Objection. I’ll take a look at it.

    • Could well be.. I am pretty sure that the main reason that Flash is so prevalent today is because of the LSO’s. Certainly there are much better ways to do streaming video, and many other things Flash gets used for. Objection is a great plug-in.. it even lets you examine what is stored in the LSO’s. I have it set to clear the LSO’s when the browser starts.

  9. I’ve just read the posting about web pixels and am pleased to say I already do most of what’s suggested to avoid them. But this doesn’t alter the outrage I feel that this sort of activity is allowed. Anything like tracking, monitoring, spying, or generally prying, done company to company, would be classed as illegal via “espionage”: done person to person it would be “harrasment” or “stalking”. To say the very least, it’s an anomoly in the law that it’s allowed company to individual. What a sick situation. I absolutely detest all the trades and allied branches of sales, marketing, advertising and promotion etc. I just hope all the various governments of the world unite on this and respect that we are people, not commodities for the jerks to do what they want with. The sooner these activities are outlawed, the better.

    • Yes it is interesting to see the current double standard. Big companies can have content pulled from the web by simply claiming it violates their copyright/trademark/etc. But the average user is left out in the cold with no legal recourse to defend their right to privacy, and so must do the best they can themselves. This among other reasons is why I feel projects like TOR, NoScript, GNUnet, Ad-Block Plus, Etc. are so important.

  10. Oh yes! NoScript and AdBlock Plus get 110% from me. They stop so much crap that I couldn’t live without them now. I was an ignoramus who used IE for almost three years before I finally took my nephew’s advice and tried Firefox. No looking back. What a relief to discover the ordinary person can largely determine what they are subjected to. I’ll check out TOR and GNUnet. Thanks for alerting me to them.

    • There is another addon namely Better Privacy,
      does a better job on clearing flash-cookies than Objection, I.M.O:

  11. BetterPrivacy is here:

    https:||addons.mozilla.org|en-US|firefox|addon|6623

    • Thanks for the info.I’ll be sure to check it out.

  12. […] admit it one of the large reasons for Flash adoption is so companies can pollute your system with LSO’s which most people don’t know about or how to get rid of. Because in the eyes of companies […]

  13. The ctazy thing with LSO’s is you never hear about them unless you’re big into computer privacy. I was huge into privacy when firefox launched. I grabbed up every new blocking app when it came out and set up my standard suite of crap removers.

    But then life moves on and I just relied on what I had. I’m still generally well informed about tech news, but am no programmer myself, so when I saw better privacy while checking the firefox extension list I just added it b/c I was bored and figured I’d give it a spin.

    When it asked me if I wanted to LSOs I was shocked, I had no idea what they were. Now I’m back on a security kick but it’s really a pain in the ass that you have to live in a state of paranoia for the rest of your life to stave off this kind of crap.

    There really out to be a set of regulations or something regarding this crap.

  14. There might be a permanent and easy way to block this privacy issue:

    delete the directories in
    ~/.macromedia/Flash_Player

    but copy their names before as you now create two empty files with exactly these names.

    maybe not all functionality can be kept but its working for me now. I got this tip from another site and used it successfully under windows as well.

  15. […] use flash just to put up an image. The only reason to do this is that the websites wants to set a Flash super cookie and circumvent users browser privacy settings. As I mentioned before Gnash as a wonderful option to […]

  16. I know, I know… this entry is so old, but this fix is easy in Linux. Just redirect the directories to /dev/null and you don’t have to worry about clearing them… they never, ever get saved to disk 🙂

    cd $HOME

    rm -rf .adobe .macromedia

    ln -s /dev/null .adobe

    ln -s /dev/null .macromedia

  17. ^^
    thank you Privacy Guy!


Sorry, the comment form is closed at this time.

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: