Wednesday, September 22nd, 2010

Evercookie – using a lot of solutions to force a persistent cookie

Category: Security

delete cookies?Samy has put together an impressive solution to store persistent cookies on user’s computers even when they have cookies disabled. The Evercookie script reaches deep into the toolbox to fish out some very interesting and devious tricks for local storage:

TODO: adding support for:

Pretty impressive. The only thing working around it is NOSCRIPT.

Posted by Chris Heilmann at 2:59 pm

3 rating from 2 votes


Comments feed TrackBack URI

It IS impressive tech. Though… if you have to go to these lengths to prevent people from deleting your cookie I can only imagine what your site is doing that would motivate them to work so hard. Perhaps your site, not cookie persistence, is the thing that needs to be fixed.

Comment by tack — September 22, 2010

This thing truly is amazing. Google chrome finds a cookie set by firefox 3.6 in safe browsing mode. I don’t even have to stress just how crazy that is…

Comment by SchizoDuckie — September 22, 2010

Additional note: Chrome incognito mode is safe though

Comment by SchizoDuckie — September 22, 2010

Opera 10.62 deletes the Evercookie if you use “Settings”->”Delete private data”.

Comment by Fireblaze — September 23, 2010

I honestly don’t understand how this is defensible. Store what data you like on your own server, but going to these extreme lengths to store data the user specifically wants to get rid of is morally reprehensible if not illegal in many countries. If the user goes to SPECIFICALLY remove cookies they should be safe that it does in fact disappear. This is no better than whatever spyware you’d care to mention! Hopefully someone will make an addon to remove this crap or perhaps it could be done by ccleaner or something, either way it’s ridiculous that you think it’s fine to use the users computer in this way – it’s not yours, what right do you have to store things on it they specifically don’t want?!

Comment by thor84 — September 23, 2010

Impressive, but recent actuality have proved that this is illegal :

Comment by ywg — September 23, 2010

With cache exploitation it’s probably possible to resurrect a cookie without javascript.
Another trick they could use is IE’s userData extension.

Comment by Joeri — September 23, 2010

This seems like black-hat territory to me, and not something the kind of technique or anti-user mindset that should be encouraged in mainstream web development. If a user has disabled cookies, your application should respect that. If it’s going to prevent your app from working properly, then inform the user of that fact and provide them instructions on how to enable cookies for your site.

Comment by Amtiskaw — September 23, 2010

There’s also IEs old userData-behavior, kind of an ancestor to all the supercookies. Here’s a demo: – works in Internet Explorer 5 – 9.

Comment by wortwart — September 23, 2010

I am amazed that this site not only links to such a script but actually calls it impressive. This thing goes against almost every aspect of a friendly and open web. This type of script is used by unethical people for their own purposes without regarding the wishes of the visitor. What’s next Ajaxian, how about linking us to an article explaining how to hack Facebook for advertisement purposes?

Comment by travisalmand — September 23, 2010

Put this in my autoexec.bat:

Comment by Jordan1 — September 23, 2010

Yes all of this is black-hat and not to be used in your systems. That doesn’t mean though that we shouldn’t report about the possibilities people have to exploit the technologies we right now consider the coolest new things to do. Only then can we fix them.

HTML5 empowers developers and allows browsers to reach into areas that so far were not possible to reach. This comes with security concerns. If we know about them then we can fix them and appeal to browser vendors to safeguard against them. If we claim they don’t exist then we create a web that is insecure as the active-x hacks of old were.

I’d rather have Samy show the opportunities of exploitation than some web site use them without telling people. Making these practices illegal is not stopping people from using them. Patching browsers against them or making them prompt users does make them safer though.

The latest Twitter exploits show that we are currently forgetting even the simplest security measures but instead concentrate on moving from an API distributed web back to centrally controlled web interfaces. Showing examples like this explains just how vulnerable those are to abuse.

Comment by Chris Heilmann — September 23, 2010

I agree with your point “This thing goes against almost every aspect of a friendly and open web.”
But we are developing an unfriendly and close web site, so Evercookie may help us.

Comment by arphen — September 23, 2010

@chris – sure, have the story explaining what’s going on. But then the report should be more like “hey! look at this exploit somebody came up with! how can we stop it?” as opposed to “hey! look at this impressive script! how can we use this unethical script to our own uses?”. After all, there is a lawsuit over this very topic so some people feel it’s very wrong to do something like this. I’m not exactly disputing the reporting of the script, which I agree sounds like I did, but I’m more disputing how it was reported; as impressive.
@arphen – at least you’re honest about it

Comment by travisalmand — September 24, 2010

Leave a comment

You must be logged in to post a comment.