Study: Adobe Flash Cookies Pose Vexing Privacy Questions

Discussion in 'privacy general' started by ronjor, Aug 11, 2009.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Story
     
  2. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
  3. ahriman

    ahriman Registered Member

    Joined:
    Sep 18, 2007
    Posts:
    124
    If you are using Firefox, the add-on "Better Privacy" takes care of Flash cookies.
     
  4. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
  5. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    FYI: R-Wipe&Clean has the capability to wipe Flash cookies, and other eraser utilities may also possess this feature.
     
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    (Windows XP Home Edition SP 2 IE 7)

    I know how to tighten the settings for Flash in a way that should prevent the installation of Flash cookies (Flash security settings), but more than once I have discovered Flash cookies on my computer. I'd call that 'hacking'.

    Aside from the Flash cookies I can see with Macromedia's tool, does Flash store any (other) personally identifying information on my computer ?

    And being paranoid, can I or my computer somehow be indentified by my Flash plugin when I surf the web ?
     
    Last edited: Aug 12, 2009
  7. Pleonasm

    Pleonasm Registered Member

    Joined:
    Apr 9, 2007
    Posts:
    1,201
    Fly, FYI -- I routinely wipe the complete contents of the following folders (in Windows Vista) to ensure that all Flash information is destroyed:

    C:\Users\<user>\AppData\Roaming\Adobe\Flash Player\AssetCache
    C:\Users\<user>\AppData\Roaming\Macromedia\Flash Player\#SharedObjects
    C:\Users\<user>\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
     
  8. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Thanks. I have Windows XP, however.
    Different folders. It seems there is some stuff left, I'm not sure what to make of it. I don't want to break the system/Flash.

    I'll give it some thought.
     
  9. MICRO

    MICRO Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    1,020
    It might also be worth looking at the settings - Adobe allows third party websites to place whatever on *OUR* machines via Flash and for which it says it accepts NO responsibility so as usual it's covered it's Ass.
    I needed to change several and included the, 'Never Ask Again'.

    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html
     
  10. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    The problem with Flash Cookies are, the permanent Flash Cookies are not stored on the users computer, although some may reside there.
    The permanent Flash Cookie is stored on special Servers, these special Servers are an global network, all Flash Cookies.
    Any Web Site that sponsors Flash, Flash Ads, Flash Cookies, and so forth are connected to the Flash Servers Network.
    When one visits an Web Site that sponsors or uses Flash, an permanent Flash Cookie for that IP Address is stored in the Flash Servers Network.
    From there an profile is built on internet usage, only Web Sites that use or sponsor Flash can track the users navigation and build the Flash Profile.
    In short, any Web Site that one visits that incorporates the usage of Flash can add to the Flash Profile if the following exist:

    01)- the user does not block the Shockwave Flash Object ActiveX (d27cdb6e-ae6d-11cf-96b8-444553540000) in the Web Browser.
    02)- the user has other Flash installed such as Flash Players, Adobe Flash and so forth

    Deleting all of the Cookies on the Local Computer has no influence on the Permanent Flash Cookie stored on the Special Flash Server Network.
    Each individuals IP Address follows them everywhere on the Internet regardless of Anonymity Software or not, Servers can store, display, or hide
    any information that they are programmed to do. It is an International and Global Law thing.

    Solution: Remove Flash from the System and block the Shockwave Flash Object ActiveX (d27cdb6e-ae6d-11cf-96b8-444553540000) in the Web Browser.


    HKEY1952
     
    Last edited: Aug 12, 2009
  11. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,322
    Location:
    Philippines
    I just spent the last hour searching for any discussion, reference regarding the storing of "permanent" flash cookies to special flash servers. I also searched for any reference to the same regarding Local Shared Objects (also known as flash cookies). This is contrary to how LSO's work. Care to cite some references on this.
     
    Last edited: Aug 12, 2009
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What if the user's IP Address changes on each connection? How can a profile be built?

    ----
    rich
     
  13. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    The IP Address is much longer than xxx.xxx.xxx.xxx
    Only privileged authorities have access to the extended string
    The xxx.xxx.xxx.xxx may change but the extended string does not
    The extended string is attached by the Internet Service Providers and is part of the clients Account Identification (provider, country, region, state, etc.)
    It is an hierarchy, we the clients only see xxx.xxx.xxx.xxx where as the Government has full access to the string and all in-between see less and less of the string


    HKEY1952
     
  14. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    Here is an example:

    I like cars and I am from San Francisco, California (not really, but for the example).
    I visit an lot of Web Sites about cars. One day I am visiting an car site located in China and in the upper right hand corner is an Ad.
    The Ad reads "Find great deals on new and used cars in your area of San Francisco today".
    Now how on earth would that Ad Server know that I am from San Francisco, my IP Address only shows xxx.xxx.xxx.xxx
    Ahh, the extended string knows it all.


    HKEY1952
     
  15. halcyon

    halcyon Registered Member

    Joined:
    May 14, 2003
    Posts:
    373
    Eho_O

    Extended string - where exactly?

    IP-address is ip address, what you see is what you get.

    URL is also WYSIWYG if a browser if configured properly and one is not easily faked by URL spoofs.

    Now, if:

    - cookies are blocked (built-in Firefox, or add-ons)
    - LSO cookies are blocked (better privacy in Firefox)
    - single pixel image variants and cross-site CSS files are blocked (Ad block +)
    - Referer is faked (Referer tools)
    - Ads are blocked (Ad block plus)
    - major tracking, statistics and ad servers are blocked (HOSTS file)

    Then there is a negligible chance that a series of sites operating on different server clusters can actually track you accurately.

    Of course, it is always possible to try and make a track based on IP address and http-get time-stamps alone, but that's as far as it gets - not to mention how much excess computing power that would require to analyze all the traffic.

    Do you have some other information on a technique that allows for a tighter tracking?
     
  16. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    HKEY1952: You have been misinformed on two things.

    Flash cookies of the session kind and permanent kind are all stored locally (LSO files) with the extension of .sol. There are no cookies stored on some central server that follow your web travels based on your IP address.

    CCleaner's latest versions do a very thorough job of deleting these locally stored files.

    This "extended string" business is obviously a confusion by HKEY1952 on the IPv4 addressing system. The additional numbers in IPv4 have little to nothing to do with your personal IP and represent a protocol that has a maximum of some 200+ characters, but only for Internet networking/addressing purposes. Your personal "IP address" is still the typical short series of numbers.

    By the way, I read the WIRED article earlier today and had to laugh out loud with the "update" at the end of article that states wired.com uses flash cookies!
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is easily done already with existing technology -- no extended string (whatever that is) is necessary.

    If I search for "attorneys" in Google, my current IP Address is run through a locator program which identifies me in the Los Angeles, California area. Corresponding ads for attorneys appear in the Links on the right:

    googleLocation.gif


    Even at that, tracking and building a profile is another matter and requires a persistent cookie or something similar: your credit card, or library card -- anything that keeps track of your activities.

    ----
    rich
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    And yet after using this, I've found domains are still listed in the Adobe Flash Settings interface. They're not active as there's no symbol (star etc.) by them. Perhaps they're still stored in the global settings.sol file, which CCleaner doesn't remove unless you add it yourself. I manually removed this, and checked the Adobe Flash Settings page, and all domains have gone.
     
  19. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Can you give us a visual example of the extended strings you are talking about?

    Are you, in fact, actually talking about the IPv4 addressing system?

    It's always best to leave a link or two when posting such statements.


    Thanks!

    Marja:cool:


     
  20. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    To provide an small glimpse of what I am talking about in regards to the "Extended String" please read the following entirely and carefully:
    https://www.grc.com/x/ne.dll?bh0bkyd2

    Note your current IP Address and the Reverse DNS Address.....this is only part of the "Extended String"


    HKEY1952
     
  21. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    THAT (Shield's UP link) is your reply?

    How about a straight up clear concise answer of
    where we can find a discussion or definition of these extended strings?
     
    Last edited: Aug 13, 2009
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    There is the 'host name' or supercookie if you will, but it is not directly related to Flash.
    Depending on certain issues, you have a static (and personally identifiable ?)host name, or one that changes.
     
  23. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    The subject of the IP Addresses extended string can not be summed up in one article or Web link. It is to complex and vast.
    My knowledge of the IP Address extended string was acquired by conglomerating the knowledge gained over the years by reading various articles, books,
    Web Pages, and magazines and such that most of the time only covered part of the subject and was not the main feature of the publication.
    Research on the subject also helped. You requested that I provide an visual example of the IP Address extended string and I provided that visual display through
    the link in my previous Post. I suggest that you read the article again because you obviously missed the point.
    I do not have to prove anything, I provided information, one is free to do what ever one wants with that information.
    Read and research as I did. Keyboard + Search = Results. Anyone believing that they are navigating the Web anonymously is only fooling themselves.
    Flash is an definite security breach and the reason all Flash has been removed from my System and blocked at the Browser. I have no trouble navigating the Web.
    In spite of removing and blocking Flash, and all of that other security stuff to protect identity, where I go on the Web my IP Address also goes, extended string and all.
    No one ever talks about the Servers on the Internet. Servers are very powerful and not to be underestimated or ignored. Servers have all the information stored.
    Servers dictate the Web. Servers know more about us than we know about ourselves. I love Servers, I have Microsoft Home Server on my Network. My girlfriend is an Server.


    HKEY1952
     
  24. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    There is ZERO evidence of this anywhere on the web. In fact, when you search "extended string" ip address on Google you get one result (totally unrelated) before this very thread here at Wilders!

    Claiming an IP address follows you around, flash super cookies residing on servers that are identifiable to you and such is wrong. It's just not based on fact and claiming all of that is spreading false information. That certainly does no good for the credibility of this community.
     
  25. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hate to necro a thread, but I've just adjusted my settings with the Flash manager to block LSOs, yet Better Privacy is still finding them and asking what I want to do with them....am I missing something?
     
Loading...
Thread Status:
Not open for further replies.