The persistent method that security researcher Samy Kamkar introduced last week for storing tracking data on a user’s machine, known as the “Evercookie,” is even more worrisome when used on mobile devices, according to another researcher’s analysis.

The Evercookie is a simple method for forcing a user’s machine to retain browser cookies by storing the data in a number of different locations. The method also has the ability to recreate deleted cookies if it finds that the user has removed them. Created by Kamkar as a demonstration of a way that sites could use to persistently track users even after they clear their browser cookies, the Evercookie has drawn the attention of a number of other researchers who have spent some time looking for methods to defeat it.

A researcher in South Africa took a look at the way the the Evercookie works on both Safari on the desktop and on mobile devices, and found that it can be undone in some circumstances. However, he also found that the mobile version of Safari fares far worse in its handling of the Evercookie than the standard version does.

“My second most frequent browsing platform is my iPhone, and I thought I
would investigate how Apple IOS, MobileSafari & embedded WebKit
fares. It does much worse. The problem is, any app
which embeds MobileWebKit has it’s own stores. Even if you go to your
settings and delete local databases, you haven’t cleared the cookies,
caches & stores in the other apps. Even if you do clear your
MobileSafari store, the HTML5 localStorage mechanism isn’t properly
cleared and the cookie reloads itself,” Dominic White wrote in analysis of the Evercookie on an iPhone.

White wrote a script that will go through and delete the cookie from all of the relevant WebKit databases on the iPhone. The script only works on jailbroken iPhones. Jeremiah Grossman of WhiteHat Security also developed a method for removing the Evercookie from Google Chrome, without going through a browser restart.

Kamkar’s Evercookie is a JavaScript API that takes advantage of a number of available storage locations in a user’s browser to store persistent data. In most cases, the cookie will persist even after a user clears his the cookies from his browser or manually goes in and attempts to delete specific files on the machine.

“Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available,” Kamkar said in his introduction of the Evercookie.

Categories: Social Engineering, Vulnerabilities, Web Security

Comments (8)

  1. Anonymous
    3

    So what browsers are succeptible to the “evercookie” anyway?  I’ve tested the latest patched versions of chrome, ie and firefox; and it’s completely uneffective.  it seems this “evercookie” is getting alot of hype, but for what?

  2. Anonymous
    4

    It’s hard to judge the potential threat without some more specific information on what methods it uses to store data. Without that, it just sounds like a lot of hot air.

  3. Anonymous
    5

    You want to know the methods used? Well, why don’t you bother reading the last link taking you to samy.pl/evercookie where everything is explained in detail?

  4. Todd
    6

    Use the code against itself.  In your URL bar:

    javascript:ec.set(‘uid’, 12345);

    Boom, done, evercookie.js wiped out the data for you.  Until evercookies are made read-only I don’t see this as being a major threat.

  5. used computers
    7

    I just stumbled upon your blog after reading your blog posts wanted to say thanks.i highly appreciate the blogger for doing  this effort.

  6. Andrew Z
    8

    Anonymous (8:11am): All modern browsers are suspectible to evercookie to various degrees.  The more modern the browser (with DOM Storage for example), the more ways for evercookie to protect itself against deletion.

    Deletion is not that hard (though it can be inconvenient because it requires deleting things you may want to otherwise keep).  BleachBit 0.8.1 deletes evercookie in Internet Explorer, Firefox, Safari, Google Chorme, Opera, Adobe Flash, and Silverlight: http://bleachbit.sourceforge.net/

Comments are closed.