Researcher Claims ‘Evercookie’ Can’t Be Removed

Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:36:00


Call it “Frankencookie:” a security researcher has released a tracking cookie that he claims is nearly impossible to remove. Dubbed “evercookie,” it is designed to raise awareness about the ease with which Web site operators can evade privacy tools designed to eliminate shield visitors’ privacy.

Evercookie is a javascript API that produces browser cookies that are “extremely persistent,” according to details provided on the Web page of its creator, Samy Kamkar. The cookie is capable of storing data in several types of storage containers on a system where it is installed, then regenerating itself in the event that a user clears out his or her browser cookies after a Web session.

Related Posts

Apple Patches Trident Vulnerabilities in OS X, Safari

September 2, 2016 , 10:00 am

Chrome 53 Fixes Address Spoofing Vulnerability, 32 Other Bugs

September 1, 2016 , 11:52 am

Patched ColdFusion Flaw Exposes Applications to Attack

September 1, 2016 , 9:15 am

Kamkar gained gained notoriety in 2005 for creating the Samy cross site scripting worm, which traversed the MySpace social network, adding each of its victims as a “fan” of Kamkar’s MySpace profile. It was one of the first widespread pieces of malicious code to target social networks, with more than a million MySpace users falling victim to the attack. In recent months, he has also published research showing how vulnerabilities in home Internet routers could be combined with geolocation data to reveal Web users’ physical location.

Kamkar designed evercookie to raise awareness about the privacy issues raised by tracking cookies including traditional HTML cookies and close kin like Adobe Flash local shared objects (or LSOs), which can store personal data on user’s computers that can be accessed by Web sites to understand user behavior. LSOs often enable tracking in spite of browser privacy settings that may restrict the types of data stored in cookies.

“(Evercookie) is just exposing methods people are already using (or are going to start using more with some of the new HTML5 technologies),” Kamkar wrote in an instant message chat with “The thing is it’s only super technical people that typically know about these methods.”

Kamkar, who is on a speaking tour in Europe, said he created Evercookie in a single day. “That was part of the impetus, it just seemed so easy…people should know how easy it is for people to do this level of tracking,” he wrote.

Evercookie takes a shotgun approach to cookie creation, in the hopes of maintaining persistence on endpoints. In addition to creating a standard HTTP cookie, Evercookie stores client specific information in other locations that are accessible by most common Web browsers including local shared objects (LSOs) created by Adobe’s Flash technology. It also leverages a number of HTML extensions introduced with HTML5, the newest specification for the Web’s main authoring language. HTML5 Session Storage, HTML5 Local Storage and HTML5 Global Storage are all leveraged to store cookie data. HTML5’s new Canvas tag is used to read cookie data stored in the RGB values of PNG format files.

Evercookie is available as open source code. To use it, Web sites need to make it available to their Web server. Kamkar offers Evercookie in a variety of flavors: javascript, Adobe Flash (.SWF) and PHP. The Flash version allows evercookie to take advantage of Flash local shared object storage, whereas the PHP version of evercookie is used to store and retrieve session data in cached PNG files, he wrote.

Kamkar said he has not tested the various browser privacy and cookie deletion features against ever cookie, but said One or more of these storage containers is typically missed by the “clear cookies” feature in the dominant browsers – and only one of the eight storage methods needs to work, said Kamkar.

“When you come back to my site, if I see ANY of those tags, I still know who you are, and even worse, I can then reset any cookies you’ve deleted,” he wrote.

One exception he knows of is Apple’s Safari browser. Enabling the Private Browsing feature on that application blocks all the evercookie methods, though Kamkar admits he has not tested his cookie against other leading Web browsers.

Microsoft and Google did not immediately respond to requests for comment and it isn’t known whether whether existing cookie removal features in those browsers will work against the methods used by evercookie.

The security implications of features that come with next generation technologies for presenting data online and creating interactive Web applications is a hot topic. Security experts have warned that the sprawling new HTML5 Web standard may favor functionality over security, enabling a new generation of powerful Web based attacks.