Supercookies, Flash cookies and Even Zombie Cookies

Privacy activists have consistently addressed the threats that cookies represent to privacy. In fact, the European Union passed a law that states that any company based in the EU (or any company targeting EU citizens), cannot place “non-essential” cookies on users’ computers, without their knowledge and authorization. Thanks to the awareness raised by campaigners and the implementation of the legislation, the majority of internet users know about the existence of cookies.

The majority of people are aware about cookies related to HTTP, which are regular cookies. These are the small text files that are left in your browser’s cookie folder and can be handy for certain cases such as remembering your passwords and website preferences. However, they can also track your movements on internet. Those concerned about the implications for privacy have taken measures to prevent, control or remove cookies with the help of management and blocking tools that many browsers have added to tackle cookies.

It doesn’t come as a surprise that some companies have looked for methods that allow them to circumvent these tools, in an effort to continue gathering data for marketing and analytics purposes. The use of supercookies is one of the main alternatives to identify and track online users, in spite of the blocking and control technology in place.

Supercookies

The term supercookie refers to bits of code left on your computer that perform a similar task as cookies. However, supercookies are not as easy to identify and remove as regular cookies. Flash cookies are the most common kind of supercookies and they are also known as LSO or Local Shared Object. Other types of supercookies include Web Storage and HTTP ETags, but Flash cookies are believed to be widely used on websites.

Unlike standard cookies, supercookies are designed to be practically undetectable and their use is not exactly transparent. It is almost as if their existence is concealed on purpose, which explains why not many users know about them. Even if you believe that you have cleared your computer of tracking objects, there are probably supercookies still lurking.

The legislation in the EU regarding cookies, includes supercookies in the general description. However, the law is ambiguous when it comes to establishing what a “bad” cookie is. Furthermore, the law has not been enforced as it should be and the majority of websites require you to agree to the use of cookies if you wish to continue accessing them. While the law has not avoided the use of supercookies, or even HTTP cookies effectively, at least it has raised awareness about the issue.

One thing that has helped to the decrease of Flash Player’s popularity, is the fact that Apple has addressed the weaknesses of this technology. HTML5 has taken over many of the tasks that were once assigned to Flash. In addition, leading browsers offer LSA removal, which has contributed to the drop in the use of Flash cookies. In spite of that, they haven’t disappeared and are still a threat to users’s privacy.

Flash Cookies and Zombie Cookies

As previously mentioned, Flash cookies are the most popular type of supercookies. They use Adobe’s multimedia Flash plugin to conceal cookies on your computer that are not accessible or that cannot be managed using the privacy control of your browser. However, nowadays most browsers are capable of deleting Flash cookies through their cookie management.

Since these cookies are kept outside the browser, it is not possible to avoid them by simply switching to a different browser. Flash cookies are available to all browsers meaning that a cookie that was acquired while Chrome was being used, will also be there when you move to Firefox. Furthermore, Flash cookies can hold up to 100kb, which is considerable more than the mere 4kb that HTTP cookies are capable of holding. One of the most worrying types of Flash cookies are zombie cookies. A zombie cookie is a piece of Flash code that can return as a normal HTTP cookie after being deleted from a browser’ cookie holder.

How to tackle Flash cookies

There are different methods to deal with Flash cookies. The first is to modify your Flash preferences. While some LSOs appear to be able to evade the preferences settings, it is worth to give this a try.

In order to get rid of the remaining site cookies, you can go to the Adobe Website Storage Settings Panel, where you can find a list of Flash cookies on your computer. If you know any of the websites in the list and you visit them on a regular basis, you may have to keep their cookies since they may be convenient. The rest of the cookies in teh list should be deleted.

You can prevent new sites from generating cookies by going to the Adobe Global Storage Settings Panel (you can simply click on the Global Storage Settings tab located in the Settings Manager instead) and setting the slider to “None”. Then click “Never Ask Again”. Keep in mind that this can create issues when visiting websites that require Flash functionality.

Delete Flash cookies manually

This is another solution and it also allows you to confirm that other methods have worked correctly. To manually delete Flash cookies, follow the below steps:

  1. Windows users can open a Explorer window and enter “%appdata%” into the search bar. Click twice Macromedia, then Flash Player, followed by macromedia.com, support, flashplayer and then sys. You will come across folders that contain a .sol file, which is the cookie itself. You can delete all these folders.
  2. The steps in Mac are going to Users, then username, Library, Preferences, Macromedia, Flash Player and then search for any .sol files in the folders.
  3. Linux users can follow this sequence: home, username/ .macromedia then Flash_Player, macromedia.com, support, flashplayer and finally sys. Alternatively, run the command “find ~/.macromedia/ -type “f – name settings.sol -exec rm -v {} \;

Delete Flash cookies automatically with CCleaner

Windows and OS X users can rely on CCleaner, a convenient tool for cleaning your system. While by default, it doesn’t get rid of Flash cookies, it is possible to make changes in Windows Vista and 7 by following the below steps.

  1. Open CCleaner and go to Options, then Include and Add:
  2. C:\ Users\User name\ AppData\Roaming \Macromedia \Flash Player -> #SharedObjects
  3. C:\ Users\ User name\AppData\ Roaming\ Macromedia\ Flash Player\ macromedia.com -> support -> flashplayer -> sys
  4. 2. Go to “Exclude” and Add: C:\Users\User name\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

In Windows XP, include C:\Documents and Settings\name of user\Application Data\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

Also C:\Documents and Settings\name of user\Application Data\Roaming\Macromedia\Flash Player\#SharedObjects

2. Exclude the following:

C:\Documents and Settings\name of user\Application Data\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol

The below steps are for OS X users:

  1. Include: Users, then username, Library, Preferences, Macromedia, Flash Player
  2. Exclude: Users, then username, Library, Preferences, Macromedia, Flash Player and settings.sol

Delete Flash cookies using Internet Explorer or Google Chrome

New versions of Chrome, Firefox and Internet Exlorer use Flash Player 10.3 and above to delete Flash cookies automatically. The browsers; built-in Clear History functions are used for this purpose. Although this is a convenient option that uses the NPAPI ClearSiteData API, it is not 100% effective and may not get rid of all Flash cookies in your system.

Blocking Flash cookies in Android

Thanks to Apple’s take on Flash, LSOs are not an issue for iOS users, but the downside is that they don’t have support for Flash and don’t get to enjoy its functionality. With the introduction of Android Jelly Bean 4.1, Flash was no longer supported on the platform. However, it may still be installed on older devices and since many websites still use Flash, it is possible to manually sideload the .apk. If Flash is installed on your device, you can find the Flash Player settings icon in the app drawer. You can disable Flash cookies by going to Local Storage and selecting “Never”.

Browser Plugins

It is also possible to find browser plugins to block and control Flash cookies. Some of them are Ghostery, Better Privacy and Disconnect. However, it is important to note that if you use these plugins, your browser becomes more unique, which makes it more likely to be affected by Fingerprinting.

Conclusion

Dealing with Flash cookies can be challenging, but being aware of the problem and avoiding Flash whenever possible, can help. While the implementation of NPAPI ClearSiteData API has also contributed to manage the threat, it is important to keep in mind that new techniques have been developed by those who wish to identify and track users on internet.