There’s a new trend on the internet of using Locally Stored Objects (LSO’s) to track and monitor internet usage. A better known term is “Flash Cookies”. Think of them like regular internet cookies, except they are for Adobe’s Flash Player.
Flash Cookies are scary because they are persistent, work across multiple websites, can re-spawn cookies you’ve deleted and hold more information. Browser controls such as Private Browsing and History deleting don’t get rid of them and they don’t expire by default.
Getting rid of them and protecting against them isn’t difficult if you know how..
Where did this come from?
I stumbled across the Flash Cookie phenomenon last fall when Flash was being exploited to take control of your webcam and microphone. The fix was to go to a special Flash Applet on Adobe’s website to turn off Flash’s ability to access your webcam. Being curious, I poked around the applet and was quite surprised at all the sites stored in the “Visited Sites” section. Basically, any site using Flash was storing something there.
Note: In case you may not be aware, most websites you visit use Flash in some form or another. If they don’t, its likely that ads displayed on them do.
I suppose that originally, the idea behind Flash Cookies was more benign – keeping volume settings, site preferences and data related to Flash games but as more people became concerned with internet privacy and browsers adding in privacy controls, Flash Cookies began to take on more that just volume settings The ability to re-spawn or re-create regular browser cookies to circumvent privacy controls is one of the more disturbing features.
So, how do you control Flash Cookies?
Using Adobe’s Flash Settings Applet:
Adobe has a little known Applet on their site to control these settings. Here’s the URL: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
To properly secure yourself, here are some suggested settings:
Global Privacy tab: Set to “Always deny”.
Global Storage tab: Slide the slider to “None” and check “Never ask again”.
Global Security tab: Set to “Always ask”. (Choosing deny may break some sites)
Website Privacy tab: Set to “Always deny”. Delete all sites.
Website Storage tab: Slide the slider to “None”, check “Never ask again”. Delete all sites.
I’d suggest making a note to check this applet periodically to be sure it’s settings are still working properly.
Manually Destroying Flash Cookies:
– Go to ~/Library/Preferences/Macromedia
– Delete the “Flash Player” folder.
– Head to Adobe’s applet to set up your privacy settings.
Note: The Flash Cookies are stored in your user (home) folder’s Library/Preferences folder. “~/Library/Preferences” Do not mess with your System’s /Library/Preferences folder. If you aren’t sure, Click on the House with your name next to it on the sidebar and then click on Library from there.
Maintaining your Privacy:
To maintain your privacy with Flash Cookies, make sure you set your player with Adobe’s Applet. However, updating Flash, reinstalling or even a vulnerability may cause these settings to change. So in order to maintain your privacy you can do the following:
Give Flash Player read-only permissions:
– Delete your Flash Cookie folder.
– Set the appropriate settings with Adobe’s Applet.
– Navigate to your Flash Cookie Folder (~/Library/Preferences/Macromedia)
– Select it and Get Info.
– Change the Permissions to Read Only for Owner (you), Group, and Everyone.
– Click the gear at the bottom and choose “Apply to enclosed items”.
If you prefer, you can use the Terminal.
If this seems a bit difficult for you, you can always use Firefox’s Better Privacy add-on.
While Flash Player is the focus of this recent study, I believe that it’s not the only source of Locally Stored Objects that can be used in this manner. Java, Silverlight, Real Player, Quicktime, Acrobat and any other browser plug-in can also do the same tricks. The next step would be for Firefox and Safari to include installed stored Plugins/Addons settings in their “Private Browsing” features.