Tuesday, August 5, 2008

flash cookies

this isn't really new, and mb it isn't even worth sharin... anywho, i'd blocked flash-cookies out of my mind until recently.

so here's the deal. you can manage cookies, and clear your privacy setting when you close your browser, but chances are that flash cookies are still being set and maintaining persistence.

worse, i think javascript can access files a client has rights read (not sure on that), and the ~/.adobe and ~/.macromedia directories default to the read bit for others on ubuntu and gentoo from what i see.

so, if i'm right about the js bit, there you have the ability to track web sites visited, and maybe even pull data like usernams and passwords/hashes (pandora) out of flash cookies.

not the end of the world, but mb worth keeping in mind... there seems to be a moz plugin project trying to deal w/ this issue...

2 comments:

paj said...

I've even heard of software based MFA (device fingerprinting and all that) having a bit of flash to do this, and describing it as a feature - a machine fingerprint that the user can't easily clear!

rwnin said...

while i was out at BH/DC, there were at least 4 talks i was in where the speaker mentioned flash cookies/LSOs...

seems to be a very active space. i've done some research in this area, but i need to get my stuff together and do analysis and documentation i can post up...