Flash takes over your camera and microphone and writes permanent cookies!

REMOVE FLASH!

Flash takes control of your webcam and mike. without permission!

Web sites advertisers can now silently access your camera and/or microphone and write up to 13 copies of a new type of cookie that was quietly introduced “last year” = 2009. It’s officially called the Local Shared Object (LSO), commonly called a Flash cookie. More persistent and much more dangerous than HTTP cookies, it can hold 100 kb of binary data [executable], and it requires installing new web browser versions or extensions to remove.

websites can switch on a webcam and a microphone, without necessarily providing any information to the computer user that this has happened. When you install Flash, by default, the Flash player will ask permission before switching them on. However … Unscrupulous websites can alter these settings without the users knowledge, as the Flash player can be remotely configured.

“The tool has a great deal of potential to undermine browsing privacy.”

In 2013, a top-secret NSA document was leaked citing Evercookie as a method of tracking users.

December 5, 2010
Wired reported that “online tracking firm Quantcast has agreed to pay $2.4 million to settle a class action lawsuit alleging [because] it secretly used Adobe’s ubiquitous Flash plug-in to re-create tracking cookies after users deleted them.”
—
A wide swath of the net’s top websites, including MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd, were sued in federal court on the grounds they violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.

At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers.
—
March 4, 2011
Amazon.com Privacy Class Action Lawsuit Complaint.

A class action lawsuit has reportedly been filed against Amazon.com in the United States District Court in Seattle Washington, alleging, among other things, that [because] Amazon circumvents internet web browser privacy settings to collect personal information without permission by allegedly [deliberately] tricking or spoofing Microsoft Internet Explorer by using … Flash cookies to transmit data via Adobe Flash Player to circumvent Internet Explorer web browser privacy settings, according to an Amazon.com web browser privacy class action lawsuit news report.

Call your Senator and protest!

If you do not want to be threatened by Adobe’s Flash player, don’t install Google Chrome as Google decided to integrate Flash natively in Chrome it will run flash without asking and there is no way to disable it.(!)

More Good Reasons to remove Flash

Flash cookies a.k.a. Zombie cookies a.k.a. Evercookies
* can contain a lot more information than a normal cookie [and in binary so that it is executable]
* the browser knows nothing about them, as their use is part of the Flash object, and not done through normal HTML which the browser would understand
* deleting cookies through the browser will not delete Flash cookies
* they can have an unlimited life
* a website can use the information in Flash cookies to rebuild normal cookies that have been deleted
* Flash cookies themselves have .sol extensions
* they are listed twice, in a number of [deeply] nested folders inside two folders called
in Linux:
~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
and
~/.macromedia/Flash_Player/#SharedObjects/[XXXXXX]//[www.visited.web.sites]
in Windows XP they are in
C:\Documents and Settings\[USERNAME]\Application Data\Macromedia\Flash Player
in Windows 7 they are in
C:\Users\[USERNAME]\AppData\Roaming\Macromedia\Flash Player
– I think this path also applies to Vista

How to regain control over your webcam

How to Delete zombie Flash Cookies [ TURN OFF Flash to regain control over your webcam! ]
Jeremiah Grossman; October 13, 2010

First
0) Disable Flash (until you absolutely need it)

1) Manually delete the 2 folders under macromedia/Flash_Player/ (macromedia.com and #SharedObjects) (see the paragraph above)
Also, if you have Microsoft’s Silverlight, that is another place you will have to delete:
2) Delete Silverlight Isolated Storage:
Go to http://www.silverlight.net/
Right click the Silverlight application (any app will do)
Silverlight Preferences > Application Storage > Delete all … Click “Yes”
* Optionally disable “Enable application storage”
[this might permanently stop silverlight (?)]

3) Clear Browsing Data

– [Your-Browsers] > Tools > Clear Browsing Data… (“Clear Recent History”)
– Select all options [at least Cookies and Cache]
– Clear data from this period: Everything
– Click “Clear Browsing data”

Lastly,
4) Disable Flash until you absolutely need it, then do steps 1. through 4. all over again.

NOTE: There are many web sites offering (windows) flash cookie cleaners. This is a golden opportunity for organized crime. Take their virus, key-logger, or root-kit, and add a script to it that deletes cookies. offer it to everyone for free, (!!) and; Bingo! they now have the opportunity to fleece, defraud, swindle you out of everything.
There is only one that has won an award and is offered at several well-known sites that are trustworthy (like Ziff-Davis Publishing and CNET.com). Get it through CNET at www.FlashCookieCleaner.com
and run it each time after turning off (!) Flash.

in Linux, I did a search and only found .sol cookies buried deeply under ~/.macromedia/Flash_Player/ and, according to Carla Schroder, below, that’s it. You can make the folders un-writeable and the cookies cannot be created. period.
chmod -Rv 0500 .macromedia/Flash_Player/

What Are Flash Cookies and Why Should I Care?
Carla Schroder

Modern Web browsers include cookie managers, but … none of these are aware of Flash cookies. Adobe has a Flash cookie manager. That’s right, it’s on Adobe’s Web site. That is the actual manager that reads the cookies on your computer.

There are several tabs that reveal various interesting options, such as “Click always ask, to require any Website to ask permission if it wants to access your camera and/or microphone.” Isn’t that special! [since when do cookies have anything to do with taking over your webcam or microphone!?]

Like any cookie manager it gives you a bit of fine-tuning so you can block or allow Flash cookies from various Websites. [yeah, and what about our webcams?! … besides, all 13 copies?! I doubt it.]

Managing Flash Cookies the Linux Way
In Linux, it works to make the macromedia folders unwriteable and Flash can do nothing about it:
chmod -Rv 0500 .macromedia/Flash_Player/

Carla Schroder is the author of the Linux Cookbook and the Linux Networking Cookbook (O’Reilly Media), the upcoming “Building a Digital Sound Studio with Audacity” (NoStarch Press), a lifelong book lover, and the managing editor of LinuxPlanet and Linux Today.

October 19, 2010
by Dennis Fisher

The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user’s machine, known as the “Evercookie,” is even more worrisome when used on mobile devices, according to another researcher’s analysis.

[The Evercookie was] created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it.

A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does.

“My second most frequent browsing platform is my iPhone, and I thought I would investigate how Apple IOS, MobileSafari & embedded WebKit fares. It does much worse. The problem is, any app which embeds MobileWebKit has it’s own stores. Even if you go to your settings and delete local databases, you haven’t cleared the cookies, caches & stores in the other apps. Even if you do clear your MobileSafari store, the HTML5 localStorage mechanism isn’t properly cleared and the cookie reloads itself,” Dominic White wrote in analysis of the Evercookie on an iPhone.

White wrote a script that will go through and delete the cookie from all of the relevant WebKit databases on the iPhone. The script only works on jailbroken iPhones. Jeremiah Grossman of WhiteHat Security also developed a method for removing the Evercookie from Google Chrome, without going through a browser restart.

Kamkar’s Evercookie is a JavaScript API that takes advantage of a number of available storage locations in a user’s browser to store persistent data. In most cases, the cookie will persist even after a user clears his the cookies from his browser or manually goes in and attempts to delete specific files on the machine.

“Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available,” Kamkar said in his introduction of the Evercookie:

October 11, 2010: Reported on the front page of the New York Times

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

With all the methods available, currently thirteen, it only takes one cookie to remain for most, if not all, of them to be reset again.

If a user gets cookied on one browser and switches to another browser, as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.

Specifically, when creating a new cookie, it uses the
following storage mechanisms when available:
– Standard HTTP Cookies
– Local Shared Objects (Flash Cookies)
– Silverlight Isolated Storage
– Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
– Storing cookies in Web History
– Storing cookies in HTTP ETags
– Storing cookies in Web cache
– window.name caching
– Internet Explorer userData storage
– HTML5 Session Storage
– HTML5 Local Storage
– HTML5 Global Storage
– HTML5 Database Storage via SQLite

FAQ

How do I stop websites from doing this?
So far, I’ve found that using Private Browsing in Safari will stop ALL evercookie methods

How does the PNG caching work?
When evercookie sets a cookie, it accesses evercookie_png.php with a special HTTP cookie, different than the one used for standard session data. This special cookie is read by the PHP file, and if found, generates a PNG file where all the RGB values are set to the equivalent of the session data to be stored. Additionally, the PNG is sent back to the client browser with the request to cache the file for 20 years.

When evercookie retrieves this data, it deletes the special HTTP cookie, then makes the same request to the same file without any user information. When the PHP script sees it has no information to generate a PNG with, it returns a forged HTTP response of “304 Not Modified” which forces the web browser to access its local cache. The browser then produces the cached image and then applies it to an HTML5 Canvas tag. Once applied, evercookie reads each pixel of the Canvas tag, extracting the RGB values, and thus producing the initial cookie data that was stored.

Evercookie: the one cookie that you… just… can’t… DELETE!

by Sebastian Anthony on September 21, 2010; downloadsquad.switched.com/2010/09/21

As the name suggests, deleting an evercookie isn’t easy — in fact, once you’ve taken a nibble, that’s it: you can’t delete it.

Of course, no benevolent person would ever use evercookie — you’d have to be a nefarious money-grabbing megalomaniac! — but the sheer number of clever hacks, cheap tricks and snarky ingenuity employed to make evercookies invulnerable makes this project very interesting indeed. All told, evercookie uses eight different storage locations for its cookie, ranging from HTTP and Flash cookies through to HTML5’s new storage methods and ‘RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out’ (really!).

If the cookie can be found in any one of those locations, it can be rebuilt (and then stored in all eight places again!) Basically, unless you know exactly what you’re doing (and you have a lot of spare time to hunt down all of the cookies), you can forget about ever deleting an evercookie.

It’s horrible, really, but I feel I must bring this project under the scorching eye of public scrutiny. This is, after all, the work of a security expert — rather than thinking of this as an evil piece of code that will be bent to the evil, omnipresent will of Google, think of it as the inoculation that strengthens us for what will surely follow. As it stands, evercookie could be deployed on any server.

Evercookie is open source, and I encourage anyone that values their privacy to see exactly how and where it stores its cookies. For now it’s only in eight locations, but Samy already has plans for two more: Silverlight Isolated Storage and a Java method based on your NIC’s details.

The worst thing is, such a cookie implementation might already be in the wild. Samy might not be the first person or corporation to try such a crazy, but fundamentally brilliant, idea!

Nevercookie Eats Evercookie With New Firefox Plugin

www.securityweek.com/nevercookie-eats-evercookie-new-firefox-plugin
By Mike Lennon, Nov 10, 2010

Update – The company has since released a beta version of the Nevercookie plug-in

Anonymizer, Inc., a company that helps protect consumer’s privacy and offers anonymity solutions, announced today that it has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site’s ability to uniquely identify their computer.

The plugin extends Firefox’s private browsing mode by preventing Evercookies from identifying and tracking users.

“Recent developments in Web tracking technologies have rendered the privacy tools built into browsers almost completely ineffective,” said Lance Cottrell, founder and chief scientist for Anonymizer. “Anonymizer Nevercookie will close the gap between Firefox’s privacy features and actual privacy so that when you go into private browsing mode, you are truly protected.”

Evercookie is a new, more persistent cookie form that enables the storage of cookie data in a number of different locations, such as Flash cookies and various locations of HTML5 storage. This allows websites to track user behavior even when users have enabled private browsing. Because an Evercookie stores data in locations outside of where standard cookies are stored, an Evercookie can rebuild itself unless users go through a number of steps to completely clear and reset their local storage.

Anonymizer Nevercookie simplifies this process and eliminates the manual steps required to completely remove Evercookies. And it does so without also removing all of the necessary cookies that a user actually wants to keep, such as those for browsing history and remembered logins. When Anonymizer Nevercookie is engaged along with Firefox’s private browsing mode, it quarantines an Evercookie and removes it after the browsing session.

Dr. Elie Burzstein, a noted Web security researcher at the Stanford University Research Lab, stated: “My testing and review found that when using Anonymizer Nevercookie along with Firefox’s private browsing mode, users are protected from all of the currently known tracking systems that use browser features to follow users across multiple sessions, such as Evercookie. Specifically, Nevercookie prevents abuse to both the Adobe Flash Local Storage Object (LSO) and Microsoft’s Silverlight Isolated Storage (MIS).”

The company says that Nevercookie will be available as a free download later this month.

Update: More technical details are available here: http://www.anonymizer.com/learningcenter/#lc_labs

How to murder a Flash cookie zombie

Flash cookies can be used to track you across the Web without telling you. Here’s how to cut their heads off.
by dan tynan; www.itworld.com/internet/118784/how-murder-a-flash-cookie-zombie

August 26, 2010, 02:37 PM –

The more I use Adobe Flash, the more I understand why Steve Jobs hates it. I can’t tell you how many times a misbehaving Flash video has crashed my browser and/or slowed my system to sludge. Happens at least once a week.

Well, here’s another good reason to hate Flash: Advertisers are using it to track your movements across the Web.

Or so claims a lawsuit filed by privacy attorney Joseph Malley, one of three he’s filed in the last two months against some of the biggest media heavyweights in the world — Disney, ABC, NBC, MTV, and a host of others.

All use them employ Web ad companies like Quantcast, Specificmedia, and Clearspring to deliver Flash ads, and all of those ads store Flash cookies on your hard drive.

So what’s wrong with that? For one thing, most people aren’t aware Flash even stores cookies. These cookie files are ridiculously hard to find and manage: You can’t get at them from your browser, and they’re buried several layers deep inside your Application Data folder on Windows PCs. They can store up to 100K of data per cookie, or about 25 times what a browser cookie can store. And they can be used to recreate tracking cookies you’ve deleted.

In other words, if you’ve told an advertiser you don’t want to be followed around the Web by deleting its tracking cookie, that advertiser can use Flash to ‘respawn’ that deleted cookie without telling you — and continue to track you in secret. Thus Malley’s lawsuits, which accuse all of those companies of breaking federal laws against computer intrusion and surveillance.

That respawning bit is why Flash cookies are also called “zombie” cookies. However, like real zombies, they can be stopped. … You just need to use Adobe’s Flash Player Settings Manager.

Though you access that control panel via the Web, it’s an app that runs on your PC. Naturally, the Adobe tool uses Flash — and (naturally) the first six times I tried to run the app it crashed my browser. In fact, the Settings Manager was blinking so wildly I feared it might induce an epileptic fit. But eventually, after way too much trial and error, I got it to work.

‘Clickjackers’ could hijack webcams, microphones, Adobe warns

By Gregg Keizer October 8, 2008

Adobe rated the vulnerability as “critical,” its highest threat ranking.

It issues security advisory for Flash, but won’t patch until later this month.

Computerworld – Adobe Systems Inc. warned users Tuesday that hackers could use recently reported “clickjacking” attack tactics to secretly turn on a computer’s microphone and Web camera.

Flash on all platforms is susceptible to clickjacking attacks, Adobe said in an advisory posted Tuesday. By duping users into visiting a malicious Web site, hackers could hijack seemingly innocent clicks that, in reality, would be used to grant the site access to the computer’s webcam and microphone without the user’s knowledge.

“This potential ‘clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog,” acknowledged David Lenoe, the company’s security program manager, in a post to Adobe’s security blog.

Although a patch is not ready — Lenoe said one would be issued by the end of October — Adobe’s advisory listed steps users can take immediately to block webcam and microphone hijacking. Adobe recommended that users access Flash’s Settings Manager using a browser to select the “Always deny” option.

Adobe rated the vulnerability as “critical,” its highest threat ranking.

According to Robert Hansen, one of the two security researchers who first raised the warning about clickjacking last month, Adobe will patch the bug in Flash 10, which already has been pegged for other fixes, including a flaw that’s been used by attackers for over a month to poison clipboards with URLs to malicious sites.

the problem is not fixed, only “mitigated”

Robert McMillan, IDG News
For those who can’t update to this new version of Flash, a Flash 9 security patch is still about a month off

Flash isn’t the only software that is vulnerable to a clickjacking attack, but Flash attacks have been considered among the most dangerous.

… clicking on what appears to be a regular Web link, in reality the victim would be clicking on something altogether different such as a Flash object that turned on his microphone. “It’s almost impossible for a user to determine what’s going to happen when they click on a link,” said Hansen, who is CEO of SecTheory.org, in an interview last week.

A clickjacker could wiretap victims’ PCs, … change a router or firewall configuration, create new Web mail accounts, or … download [mal]ware, Hansen said.

Because clickjacking affects other browser plugins, the best way to fix the clickjacking problem may be to change the way browsers work, Hansen said. “Browser makers understand the problem and they’re trying to find ways to mitigate it,” he said.

Hansen noted that Macs are particularly vulnerable to the Flash clickjacking attack, since all recent Apple notebooks and desktop systems include built-in cameras and microphones.

At the same time that Adobe posted its advisory, it gave Hansen and his research partner, Jeremiah Grossman, the green light to reveal clickjacking details that they had kept confidential at Adobe’s request.

Hansen posted a long entry to his blog that spelled out a dozen different clickjacking attack scenarios. Two weeks ago, when they provided only a general description of clickjacking, Hansen stressed that it was not a single exploit, but a new class of exploits.

He hammered that theme again on Tuesday. “There are multiple variants of clickjacking,” Hansen said in his blog post. “Some of it requires cross-domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use [cross-site request forgery] to pre-load data in forms, some don’t.”

Java is even more threatening than javascript. Java is a full-blown language, capable of doing just about anything.

Turning Off Java Applets

Some web pages provide a rich interactive experience with Java applets. However, some users that rely on keyboard navigation may experience problems with some Java applets that automatically set focus and do not provide a way to break out of the applet and navigate to the rest of the web page. If this is a problem for you, you can disable Java by going to Tools > Add-ons, selecting the Plugins panel, selecting the Java item(s) in the list, and then clicking Disable.

JavaScript Enable Statistics
[1] JavaScript Enabled —– 99.6%
[2] JavaScript Disabled —– 0.4%

Java Enable Statistics
[1] Java Enabled —– 96.4%
[2] Java Disabled —– 3.6%

Web and Internet Flash Enabled Statistics
Adobe Flash Player Statistics
[1] Flash Enabled —– 99.0%
[2] Flash Disabled —– 1.0%