Researcher Claims ‘Evercookie’ Can’t Be Removed

Call it “Frankencookie:” a security researcher has released a tracking cookie that he claims is nearly impossible to remove. Dubbed “evercookie,” it is designed to raise awareness about the ease with which Web site operators can evade privacy tools designed to eliminate shield visitors’ privacy.

Call it “Frankencookie:” a security researcher has released a tracking cookie that he claims is nearly impossible to remove. Dubbed “evercookie,” it is designed to raise awareness about the ease with which Web site operators can evade privacy tools designed to eliminate shield visitors’ privacy.

Evercookie is a javascript API that produces browser cookies that are “extremely persistent,” according to details provided on the Web page of its creator, Samy Kamkar. The cookie is capable of storing data in several types of storage containers on a system where it is installed, then regenerating itself in the event that a user clears out his or her browser cookies after a Web session.

Kamkar gained gained notoriety in 2005 for creating the Samy cross site scripting worm, which traversed the MySpace social network, adding each of its victims as a “fan” of Kamkar’s MySpace profile. It was one of the first widespread pieces of malicious code to target social networks, with more than a million MySpace users falling victim to the attack. In recent months, he has also published research showing how vulnerabilities in home Internet routers could be combined with geolocation data to reveal Web users’ physical location.

Kamkar designed evercookie to raise awareness about the privacy issues raised by tracking cookies including traditional HTML cookies and close kin like Adobe Flash local shared objects (or LSOs), which can store personal data on user’s computers that can be accessed by Web sites to understand user behavior. LSOs often enable tracking in spite of browser privacy settings that may restrict the types of data stored in cookies.

“(Evercookie) is just exposing methods people are already using (or are going to start using more with some of the new HTML5 technologies),” Kamkar wrote in an instant message chat with Threatpost.com. “The thing is it’s only super technical people that typically know about these methods.”

Kamkar, who is on a speaking tour in Europe, said he created Evercookie in a single day. “That was part of the impetus, it just seemed so easy…people should know how easy it is for people to do this level of tracking,” he wrote.

Evercookie takes a shotgun approach to cookie creation, in the hopes of maintaining persistence on endpoints. In addition to creating a standard HTTP cookie, Evercookie stores client specific information in other locations that are accessible by most common Web browsers including local shared objects (LSOs) created by Adobe’s Flash technology. It also leverages a number of HTML extensions introduced with HTML5, the newest specification for the Web’s main authoring language. HTML5 Session Storage, HTML5 Local Storage and HTML5 Global Storage are all leveraged to store cookie data. HTML5’s new Canvas tag is used to read cookie data stored in the RGB values of PNG format files.

Evercookie is available as open source code. To use it, Web sites need to make it available to their Web server. Kamkar offers Evercookie in a variety of flavors: javascript, Adobe Flash (.SWF) and PHP. The Flash version allows evercookie to take advantage of Flash local shared object storage, whereas the PHP version of evercookie is used to store and retrieve session data in cached PNG files, he wrote.   

Kamkar said he has not tested the various browser privacy and cookie deletion features against ever cookie, but said One or more of these storage containers is typically missed by the “clear cookies” feature in the dominant browsers – and only one of the eight storage methods needs to work, said Kamkar.

“When you come back to my site, if I see ANY of those tags, I still know who you are, and even worse, I can then reset any cookies you’ve deleted,” he wrote.

One exception he knows of is Apple’s Safari browser. Enabling the Private Browsing feature on that application blocks all the evercookie methods, though Kamkar admits he has not tested his cookie against other leading Web browsers.

Microsoft and Google did not immediately respond to requests for comment and it isn’t known whether whether existing cookie removal features in those browsers will work against the methods used by evercookie.

The security implications of features that come with next generation technologies for presenting data online and creating interactive Web applications is a hot topic. Security experts have warned that the sprawling new HTML5 Web standard may favor functionality over security, enabling a new generation of powerful Web based attacks.

Suggested articles

Discussion

  • Chris Wilson on

    How is this news worthy?  It's only been tested on Safari...  By the time I'm finished writing this comment he could have tested it on IE, Firefox, Chrome, and Opera.

  • Anonymous on

    FAIL! This article was a waste of my time. This HUGE exploit against user privacy was only tested in Safari...and Safari was successful in deleting it in private browsing? So...this didn't really work in Safari. LAME!

  • Anonymous on

    This is nothing new. There are existing Javascript APIs that have done this same thing for quite some time. I agree with Chris that this is not news worthy.

  • Anonymous on

    I encountered an app that advised me it placed cookies (normal use) and a persistent cookie that would monitor the use of the web site.  From what I am reading, the persistent cookie may still be on my system and may monitor more than I suspected it would.  Your article indicates the difficulty of removing persistent cookies.  Any recommendations after the fact?

  • Anonymous on

    >Any recommendations after the fact?

    Take the morning after pill.

  • Anonymous on

    So if I'm surfing using an operating system from my cd or using sandboxie, your telling me this virus/cookie can still take hold?

  • Michael Fever on

    I read earlier this year that advertisers can use your javascript settings along with a number of other variables, version numbers and other stored session state variables to create a virtual fingerprint of who you are.  Combine this with top sites like hotmail. yahoo, ebay, paypal, and you can be easily identified.  This data is already being shared and used to push targeted ads directly to you.  Big brother is watching.

  • ghettohacker inc on

    demo Fails on ie8

  • Anonymous on

    I'd be curious how effective the dropping of the evercookie will be from websites using the same source (googlesyndication comes to mind off the top) against firewalls that deny IP host ranges from googlesyndication.net and googlesyndication.com.

    As I understand it, most sites do not employ their own commercial cookie, but update whichever market company currently has them on the payroll. If the market company sites are blocked by packet filtering rules, will the evercookie, from that site, still pass through to the computer?

     

  • Anonymous on

    This hardly sounds like a "Frankencookie", but maybe a "Tribble-cookie"?

  • Greek geek on

    I have an Evercookie variant on a user's PC. I have ran EVERY AV tool and such and NOTHING detects it. It hides in systems file as a network user with cookies. I debugged the Java script and found it linked to core Windows files which produced false Windows messages. It my work server, it did not propagate across the internal sata connections. This thing cannot be removed. If one removes the files in the user location, they are reloaded from somewhere. The creation dates are apparently manipulated so one cannot search by creation date. The creation date on one file was mid Jan 2011. I will no longer do Java upgrades and run Adobe Flash upgrades as I suspect that is the source, incorrect Java upgrades and Flash from non Sun sites. I have also stopped using my server and such for any internet activity except Microsoft and a very few other web sites. The only fix is to write the HD to zeros and reload. Clone your drive with software such as Migrate Easy and maintain a clean copy.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.