Browser cookies can provide everyone from advertisers to malware authors with useful information on things like unique identifiers and the sites a user has visited. But they’re also fragile, and can be deleted with a click of the mouse. So, in recent years, there has been a rash of cookies that are much harder to get rid of, that burrow into persistent files and continue to propagate even after the browser is reset. Eventually, in a proof of principle, security researcher Samy Kamkar developed evercookie, an especially persistent example. It turns out that it is possible to delete evercookie from most browsers, but the methods range from simple to positively baroque.
The first persistent cookies used Adobe’s Flash to store their data. Flash cookies aren’t deleted when you delete the browser’s normal cookie cache, and they can persist for much longer. With the right bit of code, it turned out to be possible to use Flash cookies to resurrect normal cookies that were deleted or expired in the browser’s collection. Other companies then used a similar technique to store cookies in HTML5’s local databases, which worked well when Flash wasn’t installed. When a site detects that a user-tracking cookie is missing, it can simply pull the ID out of HTML5 storage, and recreate the cookie with it.
That apparently prompted Kamkar to raise awareness of the privacy issues by making evercookie, which uses all these techniques and more. Flash cookies, Silverlight cookies, and three different types of HTML5 storage are all used to hold the cookie data. In perhaps its most devious move, evercookie forces the browser to cache a PNG image that stores an identification code in one of the color channels.
It seems that Kamkar’s goal of raising awareness has worked, in that people are finding ways of purging evercookie and, in doing so, have made us all aware of where some of the persistent storage resides.
Dominic White, a security consultant in South Africa, apparently started the efforts by figuring out how to purge evercookie from Safari. A reset and restart of Safari was enough to get rid of the standard cookies and the PNG, but that left HTML5 local stores and a Flash cookie behind. White wrote a script to kill these files—Safari puts its local storage in a user’s /Library/Safari/ folder, in the “Databases” and “LocalStorage” directories.
It turns out to be not entirely necessary to hunt down Flash’s local storage and kill the entire file. As the subsequent instructions for Chrome and Firefox point out, Adobe hosts a webpage that provides access to all of Flash’s cookies, and lets you delete them individually or en masse. You can right-click on any Silverlight app to do the same. Both of these browsers appear to clear local storage when reset.
Where things really get grim is with the mobile version of Safari. Although this version of Safari doesn’t support Flash or Silverlight, the directories it uses to hold local storage are sandboxed off from all other applications, and there is apparently no way to delete this. To clear evercookie from an iPhone, White first had to jailbreak it and then run a script. Worse still, any application that uses a Web view to display HTML content also creates an individual risk; White’s script has to crawl through the entire phone’s directory structure to purge them all.
So far, there don’t seem to be equivalent fixes for Internet Explorer, although applications are available that claim to be able to remove it. We were unable to find anything on Android phones, either.
It’s nice to know that even if it’s inconvenient, it is possible to kill the toughest cookie we know about. But Kamkar has hinted he has other tricks planned, so this might turn into a bit of an arms race. Still, it’s one that sophisticated users may benefit from, as various forms of storage that might be used by advertisers or malware authors are made apparent.