Home Code Snippets Oracle Reference Oracle Functions Oracle Error Codes Forum Oracle Jobs Oracle Blogs

Zombie Cookies From Hell

You're pertty savvy when it comes to internet privacy, right? You have cookies turned off by default, and you run NoScript, AdAware, and FlashBlock. You think you're taking reasonable measures to protect your privacy, but you might as well not bother. Zombie cookies are here, and they're nearly impossible to get rid of. It's every advertiser's fantasy turned into reality.

The war against "persistent zombie cookies"- cookies that you can't get rid of, even when you delete them, has just taken a new turn for the worse. A Javascript API by developer Samy Kamkar called "Evercookie" changes the game completely, and not in a good way.

The evercookie technique stores a user ID and cookie data in not two, not three, but eight different places, and more cookie locations are being added shortly.

That's bad, but wait, it gets worse: if you try to delete the cookies that evercookie stores and you miss just one of them, evercookie can simply access one of its other multiple stored cookie locations to resurrect your user ID and restore the full set of tracking cookies. It also relies on cross-browser techniques so it works on IE, Firefox, Opera, Safari, and most other browsers.

Even worse, if the "Local Shared Object" cookie is intact, evercookie can (and will) spread its cookies to other browsers you use on a particular machine. Let's say you start IE, visit a site, and an evercookie gets installed. If you quit IE and start Firefox, bingo- now Firefox is also being tracked with the same information.

Is this evil? Absolutely, but Samy Kamkar didn't do this with evil intentions- he did it to raise awareness of the relentless trackng that advertisers are doing to us with every page we browse. As mentioned above, this is every advertiser's fantasy turned into reality.

"I hope evercookie simply demonstrates to people what types of methods are being employed to track them and to decide whether or not they want to prevent those methods," Kamkar said. "Evercookie took less than a day to create for me as a security hobbyist, so I can only imagine the technology that funded developers are producing."

One ray of hope still exists, however. Kamkar says that using the "safe browsing" mode in recent browsers provides some protection. "I found that using 'Private Browsing' in Safari stops all evercookie methods," he said. Yes, but for how long?

Check it out at: http://samy.pl/evercookie/

This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Both comments and trackbacks are currently closed.