Call it “Frankencookie:” a security researcher has released a tracking cookie that he claims is nearly impossible to remove. Dubbed “evercookie,” it is designed to raise awareness about the ease with which Web site operators can evade privacy tools designed to eliminate shield visitors’ privacy.
Kamkar gained gained notoriety in 2005 for creating the Samy cross site scripting worm, which traversed the MySpace social network, adding each of its victims as a “fan” of Kamkar’s MySpace profile. It was one of the first widespread pieces of malicious code to target social networks, with more than a million MySpace users falling victim to the attack. In recent months, he has also published research showing how vulnerabilities in home Internet routers could be combined with geolocation data to reveal Web users’ physical location.
Kamkar designed evercookie to raise awareness about the privacy issues raised by tracking cookies including traditional HTML cookies and close kin like Adobe Flash local shared objects (or LSOs), which can store personal data on user’s computers that can be accessed by Web sites to understand user behavior. LSOs often enable tracking in spite of browser privacy settings that may restrict the types of data stored in cookies.
“(Evercookie) is just exposing methods people are already using (or are going to start using more with some of the new HTML5 technologies),” Kamkar wrote in an instant message chat with Threatpost.com. “The thing is it’s only super technical people that typically know about these methods.”
Kamkar, who is on a speaking tour in Europe, said he created Evercookie in a single day. “That was part of the impetus, it just seemed so easy…people should know how easy it is for people to do this level of tracking,” he wrote.
Evercookie takes a shotgun approach to cookie creation, in the hopes of maintaining persistence on endpoints. In addition to creating a standard HTTP cookie, Evercookie stores client specific information in other locations that are accessible by most common Web browsers including local shared objects (LSOs) created by Adobe’s Flash technology. It also leverages a number of HTML extensions introduced with HTML5, the newest specification for the Web’s main authoring language. HTML5 Session Storage, HTML5 Local Storage and HTML5 Global Storage are all leveraged to store cookie data. HTML5’s new Canvas tag is used to read cookie data stored in the RGB values of PNG format files.
Kamkar said he has not tested the various browser privacy and cookie deletion features against ever cookie, but said One or more of these storage containers is typically missed by the “clear cookies” feature in the dominant browsers – and only one of the eight storage methods needs to work, said Kamkar.
“When you come back to my site, if I see ANY of those tags, I still know who you are, and even worse, I can then reset any cookies you’ve deleted,” he wrote.
One exception he knows of is Apple’s Safari browser. Enabling the Private Browsing feature on that application blocks all the evercookie methods, though Kamkar admits he has not tested his cookie against other leading Web browsers.
Microsoft and Google did not immediately respond to requests for comment and it isn’t known whether whether existing cookie removal features in those browsers will work against the methods used by evercookie.
The security implications of features that come with next generation technologies for presenting data online and creating interactive Web applications is a hot topic. Security experts have warned that the sprawling new HTML5 Web standard may favor functionality over security, enabling a new generation of powerful Web based attacks.