Scripps Employees Called 'Hackers' For Exposing Massive Security Flaw
Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
evercookie: the one cookie that you... just... can't... DELETE!
Limping and dripping from the maws of incorrigible security bod Samy Kamkar comes evercookie. As the name suggests, deleting an evercookie isn't easy -- in fact, once you've taken a nibble, that's it: you can't delete it.Of course, no benevolent person would ever use evercookie -- you'd have to be a nefarious money-grabbing megalomaniac! -- but the sheer number of clever hacks, cheap tricks and snarky ingenuity employed to make evercookies invulnerable makes this project very interesting indeed. All told, evercookie uses eight different storage locations for its cookie, ranging from HTTP and Flash cookies through to HTML5's new storage methods and 'RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out' (really!).
If the cookie can be found in any one of those locations, it can be rebuilt (and then stored in all eight places again!) Basically, unless you know exactly what you're doing (and you have a lot of spare time to hunt down all of the cookies), you can forget about ever deleting an evercookie.
It's horrible, really, but I feel I must bring this project under the scorching eye of public scrutiny. This is, after all, the work of a security expert -- rather than thinking of this as an evil piece of code that will be bent to the evil, omnipresent will of Google, think of it as the inoculation that strengthens us for what will surely follow. As it stands, evercookie could be deployed on any server.
Evercookie is open source, and I encourage anyone that values their privacy to see exactly how and where it stores its cookies. For now it's only in eight locations, but Samy already has plans for two more: Silverlight Isolated Storage and a Java method based on your NIC's details.
The worst thing is, such a cookie implementation might already be in the wild. Samy might not be the first person or corporation to try such a crazy, but fundamentally brilliant, idea!
Comments
16
Subscribe to commentsDrakkenfyreSep 21st 2010 7:09PM
Give it to the programmers of CCleaner. They will put the ability to clean it out in a future version.
Andrew ZiemSep 26th 2010 7:18PM
Why wait? BleachBit 0.8.1 cleans evercookies now
http://bleachbit.sourceforge.net/news/test-bleachbit-081-beta
Quad5NySep 21st 2010 7:08PM
Wonderful.
3tearSep 21st 2010 7:15PM
http://img844.imageshack.us/img844/9609/54zhb1.gif
Sebastian AnthonySep 21st 2010 7:15PM
*wonders if he can legally change the story's image to that*
Thomas HoustonSep 22nd 2010 7:38AM
an all time favorite gif. don't even want to know how many minutes i've spent watching it.
sRcSep 22nd 2010 9:10AM
that was an awesome episode of Cake Boss
AnthonySep 21st 2010 7:30PM
COOKIES! Dammit, now I'm hungry. :P
ryanSep 21st 2010 9:51PM
the link in the story actually installs said cookie. Ouch.
Sebastian AnthonySep 22nd 2010 7:38AM
Yeah, I forgot to mention that -- but I think it's just for testing purposes... :)
war59312Sep 21st 2010 10:27PM
Another reason why we (the world) need more privacy laws. And of course they need to be enforced!!
PhylopSep 22nd 2010 3:16AM
Those aren't cookies, they're chicken tenders!
AankhenSep 22nd 2010 7:12AM
It (unsurprisingly, given that it’s a JS library) seems to be stymied by a lack of both JS and cookies, FWIW. Perhaps all hope is not lost? I can’t stop a site I’ve allowed JS and cookies on from doing this, of course.
Sebastian AnthonySep 22nd 2010 7:40AM
Ya, true -- NoScript is generally the way forward, if you're a big-time privacy/security nut.
As you say, though, I wouldn't be surprised to see such a method used by some big corporation on a site that you've allowed JavaScript on...
BugMeNotSep 23rd 2010 12:54AM
It appears that BetterPrivacy successfully breaks it. And since we all have BetterPrivacy installed anyway in order to stop Google et al. from tracking us I am not scared by this new thing.
agxOct 11th 2010 9:15PM
Deleting the login or userID seems to work for me. The "problems" the cookie creates for the user are predicated on the idea that we won't delete large sections of our file structures.
On most systems, creating and deleting logins or userIDs often only takes a few moments. Using this method, I was able to stomp out an evercookie in about two minutes.
Details here: http://www.agxphoto.com/2010/10/temporarily-shake-evercookie-with-user.html
If you have the guts to delete it and start over, then many of these other people who try to misuse your computer aren't prepared to sustain their efforts against you.