Wednesday, September 22nd, 2010

Evercookie – using a lot of solutions to force a persistent cookie

Category: Security

<p>delete cookies?Samy has put together an impressive solution to store persistent cookies on user’s computers even when they have cookies disabled. The Evercookie script reaches deep into the toolbox to fish out some very interesting and devious tricks for local storage:

TODO: adding support for:

Pretty impressive. The only thing working around it is NOSCRIPT.

Related Content:

  • Cookies
    More on the tricks of...
  • A lot of cache
    MTI Technology has entered the solid-state storage market with the introduction of the V-Cache, a shared file-caching product that sits on a SAN and...
  • Persisting Problems
    We seem to have a big problem in the Java persistence community, and it's one that seems to have a surprisingly simple...
  • Verizon's mobile persistent cookie is more trick than treat
    News roundup: Verizon gave its mobile users an early Halloween trick: a cookie that cannot be erased, despite a number of privacy concerns. Also:...
  • Cookie Monster
    A new directive from Europe concerning the use of website cookies is set to take effect on 25 May says the Government. However, the Information...

Posted by Chris Heilmann at 2:59 pm
14 Comments

+++--
3 rating from 2 votes

14 Comments »

Comments feed TrackBack URI

It IS impressive tech. Though… if you have to go to these lengths to prevent people from deleting your cookie I can only imagine what your site is doing that would motivate them to work so hard. Perhaps your site, not cookie persistence, is the thing that needs to be fixed.

Comment by tack — September 22, 2010

This thing truly is amazing. Google chrome finds a cookie set by firefox 3.6 in safe browsing mode. I don’t even have to stress just how crazy that is…

Comment by SchizoDuckie — September 22, 2010

Additional note: Chrome incognito mode is safe though

Comment by SchizoDuckie — September 22, 2010

Opera 10.62 deletes the Evercookie if you use “Settings”->”Delete private data”.

Comment by Fireblaze — September 23, 2010

I honestly don’t understand how this is defensible. Store what data you like on your own server, but going to these extreme lengths to store data the user specifically wants to get rid of is morally reprehensible if not illegal in many countries. If the user goes to SPECIFICALLY remove cookies they should be safe that it does in fact disappear. This is no better than whatever spyware you’d care to mention! Hopefully someone will make an addon to remove this crap or perhaps it could be done by ccleaner or something, either way it’s ridiculous that you think it’s fine to use the users computer in this way – it’s not yours, what right do you have to store things on it they specifically don’t want?!

Comment by thor84 — September 23, 2010

Impressive, but recent actuality have proved that this is illegal :
http://arstechnica.com/tech-policy/news/2010/07/privacy-lawsuit-targets-net-giants-over-zombie-cookies.ars

Comment by ywg — September 23, 2010

With cache exploitation it’s probably possible to resurrect a cookie without javascript.
.
Another trick they could use is IE’s userData extension.

Comment by Joeri — September 23, 2010

This seems like black-hat territory to me, and not something the kind of technique or anti-user mindset that should be encouraged in mainstream web development. If a user has disabled cookies, your application should respect that. If it’s going to prevent your app from working properly, then inform the user of that fact and provide them instructions on how to enable cookies for your site.

Comment by Amtiskaw — September 23, 2010

There’s also IEs old userData-behavior, kind of an ancestor to all the supercookies. Here’s a demo: http://www.heise.de/ct/Redaktion/heb/supercookies/ie.html – works in Internet Explorer 5 – 9.

Comment by wortwart — September 23, 2010

I am amazed that this site not only links to such a script but actually calls it impressive. This thing goes against almost every aspect of a friendly and open web. This type of script is used by unethical people for their own purposes without regarding the wishes of the visitor. What’s next Ajaxian, how about linking us to an article explaining how to hack Facebook for advertisement purposes?

Comment by travisalmand — September 23, 2010

Put this in my autoexec.bat:
rmdir /s /q C:\DOCUME~1\ADMINI~1\APPLIC~1\MACROM~1\FLASHP~1\#SHARE~1\

Comment by Jordan1 — September 23, 2010

Yes all of this is black-hat and not to be used in your systems. That doesn’t mean though that we shouldn’t report about the possibilities people have to exploit the technologies we right now consider the coolest new things to do. Only then can we fix them.

HTML5 empowers developers and allows browsers to reach into areas that so far were not possible to reach. This comes with security concerns. If we know about them then we can fix them and appeal to browser vendors to safeguard against them. If we claim they don’t exist then we create a web that is insecure as the active-x hacks of old were.

I’d rather have Samy show the opportunities of exploitation than some web site use them without telling people. Making these practices illegal is not stopping people from using them. Patching browsers against them or making them prompt users does make them safer though.

The latest Twitter exploits show that we are currently forgetting even the simplest security measures but instead concentrate on moving from an API distributed web back to centrally controlled web interfaces. Showing examples like this explains just how vulnerable those are to abuse.

Comment by Chris Heilmann — September 23, 2010

@travisalmand
I agree with your point “This thing goes against almost every aspect of a friendly and open web.”
But we are developing an unfriendly and close web site, so Evercookie may help us.

Comment by arphen — September 23, 2010

@chris – sure, have the story explaining what’s going on. But then the report should be more like “hey! look at this exploit somebody came up with! how can we stop it?” as opposed to “hey! look at this impressive script! how can we use this unethical script to our own uses?”. After all, there is a lawsuit over this very topic so some people feel it’s very wrong to do something like this. I’m not exactly disputing the reporting of the script, which I agree sounds like I did, but I’m more disputing how it was reported; as impressive.
@arphen – at least you’re honest about it

Comment by travisalmand — September 24, 2010

Leave a comment

You must be logged in to post a comment.