Identifying & deleting evercookies in Firefox 12

Discussion in 'privacy technology' started by phkhgh, May 3, 2012.

Thread Status:
Not open for further replies.
  1. phkhgh

    phkhgh Registered Member

    I've read dozens of articles about evercookies.:eek: Not one described how to identify one - what do they look like? For those saying, "I've never heard of evercookies," (neither had I), see links below. I visited Bruce Schneier's site - articles about evercookies. He says one (non tracking) is placed on visitors' computers (unless they have browser configured / addons / java script disabled), that prevent evercookies.

    Unless he's joking,
    I can't find anything, but not sure exactly what to look for. From what I've read, they can take many forms & be "stored in several locations."
    Schneier's article mentions "locations"
    • Standard HTTP Cookies
    • Local Shared Objects (Flash Cookies)
    • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
    • Storing cookies in Web History (seriously. see FAQ)
    • HTML5 Session Storage
    • HTML5 Local Storage
    • HTML5 Global Storage
    • HTML5 Database Storage via SQLite
    For recent FF versions, I was under impression HTML5 data (DOM storage) was stored in webappstore.sqlite in the profile. If the (4) HTML5 storages are in diff locations than webappstore, where are they?

    I have ALL cookies disabled globally, but do have JS enabled. Disabling cookies isn't supposed to prevent evercookies. Have no addons claiming to block evercookies. How do I identify an evercookie - for testing purposes?

    BTW, I use a non-default profile location on a separate partition.

    Cleaning evercookies (if I ever identify them):
    I've read every solution imaginable - like anecdotal cures for a cold. BleachBit says will clean them, BUT DOES NOT detect FF profiles in non-default locations.

    CCleaner detects profiles in non-default locations, but AFAIK, doesn't clean evercookies.

    Some suggest using No Script, turn off java script & just allowing / whitelisting sites as needed. I've used it & is included in Tor Browser, but it's not a simple addon, even for me. Creates probs occasionally.

    So, any advice how I can identify evercookies & how to clean them, if using non-default profile location?

    I'm not surprised if readers haven't heard of it, though if one searches, there's plenty of info. These are just a few articles about evercookies. !st link has info about research on how many web sites were using this technology.

    Last edited: May 3, 2012
  2. JackReacher

    JackReacher Registered Member

    Thanks for bringing this up,
    Unfortunately I can't offer any help, in fact, I haven't even heard of an Evercookie. But I will definitely get started on some research. To clarify these are different than supercookies right?
  3. phkhgh

    phkhgh Registered Member

    Yes, definitely different than supercookies. Much worse in their capabilities & resistance to "death." One reason they're also referred to as Zombie cookies.

    I see the links I pasted don't work correctly (doing them same way on another site works??). I'll grab a bite to eat, then repost the links & a bit more info I've found.
  4. Phil McCrevis

    Phil McCrevis Registered Member

  5. m00nbl00d

    m00nbl00d Registered Member

    I believe evercookies were discussed in the past, at this forum. Search around; you may get a few ideas. :)
  6. EncryptedBytes

    EncryptedBytes Registered Member

    evercookies/zombie cookies are an interesting and annoying facet of our current web 2.0 so to speak. Though I feel simply calling the problem as "evercookie" doesn't really encompass what is involved. You should consider evercookies as each a separate problem. What do I mean? There are more than 10 common locations where such data is stored. So it is not possible for the average user to delete data at each location because you do not know which locations are being affected. That’s why it is also called extremely persistent cookie. There is also recreation cookies (Subset of evercookies) which can recreate cookie data of another location. Example being if an evercookie found that a user has removed any type of related cookie, it
    simple creates them again.

    The most common areas are :

    1. Standard HTTP cookies
    2. Local shared Objects (Flash)
    3. Sliverlight Isolated Storage
    4. Storing cookies in RGB values of auto generating,
    force-cached PNG's using HTML5 Canvas tag to
    read pixels (Cookies) back out
    5. Storing cookies in Web History
    6. Storing cookies in HTTP ETags
    7. Storing cookies in web cache
    8. caching
    9. Internet Explorer userData storage
    10. HTML5 Session Storage
    11. HTML5 Local Storage
    12. HTML5 Global Storage
    13. HTML5 Database Storage via SQLite

    For those wanting to test these cookies out themselves you can go to -

    So what can a user do?

    Well the 100% full proof method of removal of evercookies and any form of tracking data entered onto a system from the browser is to place said browser inside a hypervisor. Once your browsing is done you simply restore the VM image to a clean state. If you have the type of hardware to support sandboxing/virtualization easily i'd suggest that. (It is how I browse)

    The other method I'd say works 90% of the time is to lock down your browser of choice. OP unfortunately your methods here were correct in utilizing addons such as Noscript and setting up default deny policies (private browsing) with only trusted sources added to a white-listing.
  7. phkhgh

    phkhgh Registered Member

    Other companies are also providing the same type tracking cookie / data gathering service:
    At that site, see "3) PREVALENCE" for testing done by several people/ groups on #'s of site using this technology - quite a large %.

    I can NOT say this will work to block these java script type evercookies on EVERY site that might use the technology or some variant, but on the evercookie creator's "test" site (Samy Kamkar), the test to create a cookie on my computer, then come back after deleting all cookies, LSOs, etc., failed to set an evercookie because AdBlockPlus blocked the js script:
    The filter for this script was in FanBoy's Tracking list, from ADP v2.0.3.

    I CAN'T say ABP will block every type from every site. If you look at how many sites were using this technology, there are bound to be variants.

    I still don't know what one of these cookies would look like, because ABP blocked it for me. But the evercookie inventor's site says, "try deleting this "uid" cookie anywhere possible," - then has other buttons to check for undeleted cookie(s) or remnants, or one to try & have it "rediscover" the cookie (I suppose, regenerate).

    Later versions of both BleachBit & CCleaner claim to clean evercookies. I'd proceed w/ caution. Unless browsers figure out how to stop these or laws are passed to stop (honest) sites from using the technology, I'm sure data mining companies will get more stealthy.

    If you look at how these cookies work, where they can be stored & what all they can track, they're just thumbing their noses at browser devs & users, apparently because no law exists to prevent it. In principle, it's no different than a web site installing a prgm w/o your knowledge that's very difficult to remove & spying on you (that is illegal). Many of the sites reportedly using it weren't sleazy warez or porn sites.
    Last edited: May 3, 2012
  8. phkhgh

    phkhgh Registered Member

    Where / how would the locations such as these show up in Firefox, IF one of the evercookies was present? Unless we're just talking about DOM storage, which is inside webappstore.sqlite in Firefox, these locations / names don't normally exist. If the "cookies" (really, just scripts) get on a machine, do they create these HTML5 entries - as folders? - in what location, say in Windows?
  9. CloneRanger

    CloneRanger Registered Member

    As m00nbl00d :thumb: says
    Look in these threads for more info ;)

    Also people may not be aware that Prevx has a secret hiding place for a cookie :p And it gets recreated on every boot if deleted !



    C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies

    So cookies "could/can" be placed almost anywhere :eek: Be vigilant & search for them :thumb:
  10. phkhgh

    phkhgh Registered Member

    Say, who was that masked man?

    Thanks - but the link doesn't open for me - says "no match."
    Search engines on forums are notoriously bad. Sometimes I type the EXACT subject (which some forum searches can't find) then later stumble across the post by accident.

    Re: evercookies being discussed in the past.
    I think we need to discuss them some more, because most people I've come across never heard of them; based on the research data, a large % of sites (not just sleazy ones) were using the evercookie / "respawning" cookie technology. But AFAIK, no devs at Mozilla are talking about changes to stop it.

    If users check "block ALL cookies" in a browser, above board companies (like on the list) should get sued & fined for breaking in the back door. But they're not - so far. And they're not ordinary cookies - they can get lots of personal data & track you across the internet.

    Either they need to figure out something else to use on legit websites besides java script, that can't also run code on your machine, or browsers need to get smarter. It's almost to the point where going on the web is like putting on a hazmat suit to have sex. I never get viruses on my TV.

    One article quoted some members of Congress that were looking into evercookies, because it's so egregious. Yet essentially no one knows about it. I think we need to talk about people breaking into our computers, planting bugs instead of worrying so much which browser can load a page 0.175 sec faster.

    Though it wasn't cookies, per se, Google was doing something similar to MS & also to Apple on iPhones - they were mad as hell. Google said "we never really thought about the privacy aspect..." Got that right.
  11. CloneRanger

    CloneRanger Registered Member

    That'll be me ;)

    Don't know why the link doesn't open ? Try this one

    Or just do this, which will get you the same results as i did :thumb:


    By the way, i'm still using FF v3.6.14 very happily etc etc :) & BleachBit is good :thumb:
  12. JRViejo

    JRViejo Global Moderator

  13. popcorn

    popcorn Registered Member

  14. klarm

    klarm Registered Member

    hi. I thought the common advice was to use the latest FF?
    I'm currently still on FF v3.6.x and really don't want to upgrade if not necessary cos of safety/security. I hate the "new" FF look and was looking online for ways to make it look "older". I found some but didn't try yet.

    I'm using these add-ons: ghoster, no-script, ad-block plus, better privacy, cookies manager + (for restoring a few cookies/logins for the forums I visit every day). all the history, logins, cookies... are flushed on exit.

  15. EncryptedBytes

    EncryptedBytes Registered Member

    Fair question, in terms of Firefox:

    10. HTML5 Session Storage (sessionstore.js (JSON format))
    11. HTML5 Local Storage (webappsstore.sqlite)
    12. HTML5 Global Storage (I believe this is depreciated on new FF versions, someone can verify)

    Obviously you hold the keys to your kingdom though some serious updates in terms of security have been released for Firefox since 3.6.x. Along with several CA certificate revocations, I would highly advise you to upgrade.
  16. popcorn

    popcorn Registered Member

  17. phkhgh

    phkhgh Registered Member

    Thanks everyone for good input. Evercookies aren't a subject that should fall in the category "they've been discussed in the past." Though some links given here & articles I found on web are good - to a point, most are from 2010 - maybe 2011. In computer terms, that's lifetime. Some info is still good & much will be outdated. Malware / tracking ware (which is what evercookies are) change by the minute - not by yrs.

    How to deal w/ evercookies & supercookies (separately) should be stickies on most computer forums - esp. ones w/ security sections. Not buried in 2 yr old posts.

    I'd say the vast majority of users never heard of them, don't know what they can do, have no idea how to (mostly) prevent them or how to get rid of them.

    Members of Congress are investigating them & yet they're rarely discussed in forums or internet news. And according to research, lots of "mainstream" sites are using the technology - now. Avg users deserve to be warned & armed.

    - Encrypted Bytes - thanks for the locations for storage. How did you find that? I can read entire pages (like on MDN) on HTML5 storage & still never came across where they were actually STORED in FF. I'm sure if I had unlimited time, I'd find it. Mozilla's KB list of files in Profile has such vague info, you'd never figure out most of what files contain.

    BTW, BleachBit (current v.0.9.2) can't find FF profiles in non-default location. I keep profiles off my OS partition, & other apps or data I can. To keep C:\ smaller, make it easier to BU; make easier to wipe free space on FF profile partition & not risk damaging OS drive, etc.

    CCleaner can find all FF profiles, but doesn't seem to list webappstore.sqlite as a file to delete, even though it exists. BleachBit finds webappstore - in the default profile location.
  18. phkhgh

    phkhgh Registered Member

    Re: Mil Shield - I now anyone I know has used it. Saw it mentioned & looked at their site. It's trial / shareware - not free. Seems sort of like BleachBit, maybe CCleaner.
  19. mirimir

    mirimir Registered Member

    Why do we care about evercookies? Partly, it's just on principle. But, as a practical matter, it's because we don't want some of our online activities linked to our true identities. Still, even if we manage to block or disable evercookies, it's a Sisyphean struggle. It's far better to compartmentalize disparate activities on different machines, even if they're just different virtual machines.
  20. CloneRanger

    CloneRanger Registered Member

    It might well be from "some" people, but in my experience in visiting hundreds of infected www's over the years with previous versions of software & browsers, NOT even once have i been infected due to that reason :p Of course others can do what they like, and i'm not recommending anyone does what i do, but facts are facts.

    The only times i've been infected were on purpose to test my defences, & i had to lower or totally disable my security software in order for the breaches to occur in the first place ! Not having an updated browser made NO difference. Even if some www etc were able to inject my FF via some bug etc in it, my security software etc would block whatever from running :)

    Also a number of my favourite privacy etc add-ons don't work on later versions of FF. So as far as i'm concerned, i'm Not.

    Well that's to be expected, so it's not BB's fault ;) Shame there's no custom locations we can add in :(

    But you add it in via custom locations :thumb:
  21. phkhgh

    phkhgh Registered Member

    Why do we care about evercookies, or for that matter, peeping toms looking in a window, but doing no physical harm?

    One easy way to look at it is, if one goes to a retail store, there's a reasonable expectation they will keep a record of what you buy. But, for them to secretly plant a transmitting device on one's person, in their cell phone or in their car, then keep track - potentially for yrs - of every where they go, shop & what they look at or buy - well that's illegal & down right creepy.

    That is what evercookies do. Cookies are promised to be benign files that can't do anything on your machine (like regenerate themselves after deletion, gather browsing history) & can only be read by the site that set them. Users didn't "sign up" for these types of cookies.

    If even 30% of internet users knew what these were & can do, there'd be a huge uprising. Only a handful of users have even heard of them - unless one happens to run in circles like the Big Bang crowd.

    Another reason is, companies / sites using the technology are doing so w/o users' knowledge or consent. They're also "hacking" a security hole in browsers. More importantly, since it's js, which could easily be modified to do more than track, knowing this backdoor into our machines will allow others to do more malicious activities.

    You say, "But all kinds of malware already exists - what's so different?" The difference is, sites using it & companies (like Kissmetrics) providing the technology are operating out in the open - from a legal standpoint - w/ no fear punishment - for now.
  22. Yura

    Yura Registered Member

    Thank you for heads up.
    I heard about evercookies before but surprised Anti malware/AV companies don't fight it. Conspiracy? lol.
    Nowadays Im more wary of "white" companies like Google breaching my privacy than any malicious underground guy.
  23. phkhgh

    phkhgh Registered Member

    You're welcome & thanks to all that contributed to this post.

    As I think I mentioned, it's reported that members of Congress are looking into the secret, no user approval setting of evercookies. Probably a LONG term solution, if it happens at all.

    Why don't browsers just block scripts that set cookies? If advertisers can secretly place objects that phone home (certain) data from all sites you visit, seems likely hackers can modify it for more malicious acts (not just track browsing). They'd have to avoid other browser safety measures, but never have problems finding new ways for that.

    What might be reasons that browsers & LEOs aren't all over this? Money. Browsers + searching + advertising + gathering / selling data is BIG, HUGE business. It generates huge $ for browsers, the companies gathering / selling data, advertisers & generates HUGE tax revenue for gov'ts.

    * IF * major browsers are upset over secret evercookie-type tracking & take action to stop it, MAY be because they don't get paid, as they do for making a search engine the default (or DO they profit from evercookies?). If cigarettes are SO bad & have NO positives for smokers / 2nd hand smokers, cost untold amts to treat related illnesses under say, medicare, why don't gov'ts just ban them completely? Tax revenue & lobbying. Lots of $ involved.

    It's possible data miners like Google (there are many) got tired of paying browsers big $ in exchange for gathering data, disliked limitations of normal cookies & came up w/ the secret evercookies. Dunno. Excerpt of article below is NOT intended as an indictment of Mozilla vs others. Small example of lucrative agreements between browsers & data miners / advertisers. All other major browsers (even email clients) are doing similar things.

    For browser users, there's no such thing as a free lunch. Only thing is, it SHOULD be transparent exactly what users are giving up for use of "FREE" browsers. Hard to kill, secret tracking cookies aren't transparent.
    As of July 2011, Firefox's default search provider still is Google. [still are in Firefox 12] In 2005, the Mozilla Foundation and Mozilla Corporation had a combined revenue of US$52.9 million, with approximately 95% derived from search engine royalties.[279][280] In 2006, the Mozilla Foundation and Mozilla Corporation had a combined revenue of US$66.9 million, with approximately 90% derived from search engine royalties.[279][281] In 2007, the Mozilla Foundation and Mozilla Corporation had a combined revenue of US$81 million, with 88% of this sum (US$66 million) from Google.[282][283] In 2008, both Mozilla organizations had a combined revenue of US$78.6 million, with 91% coming from Google.[284] The Mozilla Foundation and Corporation are being audited by the IRS with the possibility of having its non-profit status called into question.[282][284][285]
    Last edited: May 10, 2012
  24. Yura

    Yura Registered Member

    phkgh, I absolutely agree. It's all about money.
    And it's irony how just a four days ago, I silently applauded to Gary's short speech at TED

    Gary Kovacs - Tracking the trackers
    Ugh, CEO of Mozilla rants about trackers invading his daughter's privacy. Seems like one step forward and two steps back, Gary.

    We, people who aware of all this, should do something. Whatever each one of us can. Blogging, propaganda, sabotage :D. (kidding). People stopped PIPA and SOPA because knew the enemy.
  25. phkhgh

    phkhgh Registered Member

    Yeah, that Gary Kovacs talk was an infomercial about the new Mozilla developed "Collusion" addon. Off topic here, but they don't make that known on the MAO site (transparency). I'll hold judgement, but seems like it may wind up invading as much as it protects.

    I do try to educate people all the time about privacy & the internet. It's hard - most people "just want to put gas in the tank & go." I try to get them to install a few simple addons & make some settings changes, but most aren't interested. They hear the words, but don't get the meaning. Until something bad happens.

    Shortly after the internet Big Bang, probably a minority were against cookies. Why? - people said. They're just harmless little files that can't do anything. (Yeah, & the CDC said you could only get AIDS by sharing needles, when it 1st appeared).

    Because of where that mindset would probably take us (& turns out, has). Placing stuff on your computer that you don't really know what it's doing. Now - LSOs, evercookies - not so harmless, non-privacy invading little buggars anymore. When the internet was new, you didn't need a firewall or AV so much.

    It's become too complicated for a non technical, avg user to adequately protect themselves from both malicious & privacy attacks w/o reading & following directions - to the 'T'.

    I'm utterly amazed at #s of people seeking help on malware removal forums. I don't know if they click every "free software" pop up, or have NO AV / FW prgm (up to date) - or what. I've never had an infection, back to even before the internet, but I can't convince most people to take simple steps to protect privacy & security.
Thread Status:
Not open for further replies.