Evercookie...

[weaselbites]

So I was browsing and came across this interesting concept - a cookie that stores itself in 8 different locations, and as long as one particular location remains active it can recopy itself elsewhere. At this point I would expect a third party like CCleaner to step in and deal with such a problem. I was just wondering whether CCleaner covers all those bases? I realise HTML 5 has not been implemented fully in all the browsers, and if I understand correctly the standards are not finalised either. Having said that, any thoughts would be welcome

 

http://samy.pl/evercookie/

 

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

 

Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

 

Specifically, when creating a new cookie, it uses the following storage mechanisms when available:

- Standard HTTP Cookies

- Local Shared Objects (Flash Cookies)

- Storing cookies in RGB values of auto-generated, force-cached

PNGs using HTML5 Canvas tag to read pixels (cookies) back out

- Storing cookies in Web History (seriously. see FAQ)

- HTML5 Session Storage

- HTML5 Local Storage

- HTML5 Global Storage

- HTML5 Database Storage via SQLite

 

TODO: adding support for Silverlight Isolated Storage, and using Java to produce a unique key based off of NIC info

[Nergal]

Uhhhh wow um uh

 

I really hope the devs will look into this

 

EDIT: I sent a message to a Javascript Guru I know. Hopefully he'll be able to better explain this to me.

[login123]

Hope you can share some info here, too. :-)

 

Edit: That link gave me a "stack overflow at line 796" warning. every time I clicked it. Have no idea what that means, but it is ... well... odd. Over my head.

 

Is that link legitimate? Read about Mr. Kamkar: BBC News

 

edit: Answer to my own question. No. Don't visit it. Does something to IE.

edit: I found a couple of those cookies on this machine. Posted a screenshot over on page 2.

[weaselbites]

Login123 - I am not sure what browser your using, but I have tried it in IE 8, Opera and Firefox and they all come out fine. I run spywareblaster and KIS2011 and nothing came up with any issues on the website. I actually got the link from a downloadsquad page...although I would add it appears the people who have now commented had the same idea as me. Come running to the CCleaner experts to help clean up such a mess!

 

http://www.downloadsquad.com/2010/09/21/evercookie-the-one-cookie-that-you-just-cant-delete/

[hazelnut]

It would just be his type of thing I bet to drop an evercookie when you visit his site

[ishan_rulz]

Oh my god, I visited his webpage: http://samy.pl/ ...it knows the my recently visited websites. How does that work? O.o

[Alan_B]

It would be a tremendous boon for average decent Internet users if some one or something (perhaps Piriform) produced a "Boycot List" of websites that issue Evercookies and any other form of Zombie cookie.

 

Alan

[Andavari]

It would be a tremendous boon for average decent Internet users if some one or something (perhaps Piriform) produced a "Boycot List" of websites that issue Evercookies and any other form of Zombie cookie.

 

You could block such snoopy sites with the Windows HOSTS file, or for a more permanent fix in the modems configuration settings - mine lets me block websites.

[Alan_B]

You could block such snoopy sites with the Windows HOSTS file, or for a more permanent fix in the modems configuration settings - mine lets me block websites.

I agree that is a solution if I know what sites to block.

I was thinking in terms of a list to which "bad" sites can be added by "victims" so that we know what to block before we suffer.

 

Alan

[login123]

Hi, weaselbites.

 

That is a great find. Scary.

 

Am using IE7, and have Powershadow running, so no changes will happen, else would not have visited Mr Kamkar's site. Not at all sure if Powershadow is related to the stack overflow warning. Don't even know what the stack is, but it sounds ominous. Anyhow, here is a screenshot.

 

Edit: Got that same warning when I went through the Downloadsquad link. Probably just not "Stacked" right.

 

Actually not sure if it is even a problem...someone who knows more might be able to say.

 

I just posted that in the spirit of "Better Safe Than Sorry".

 

Edited September 23, 2010 by login123

[login123]

@ ishan_rulz: His site may not really know your visiting history. If it is the green text in the lower right corner, it always says that, no matter what you have visited (based on 4 or 5 tries). See screenshot, after I visited several pages, w/ PS and Sandboxie running. Still don't know what it means, but that site doesn't SEEM to know where I have been. ?

 

[weaselbites]

@Login123 - I can confirm what your saying. I just fired up a virtual machine with IE 7 and as soon as I visit that website I get the same thing.

 

I must admit I know very little about this myself and find the thought very scary (I give it 6 months before some advertising network latches on this and starts doing this exact thing). However, this would be the sort of thing CCleaner could defeat unlike most browser's delete your browsing history. Browser clear your caches would most likely not touch the flash LSO's, the silverlight ones either. So it would need some sort of cookie cleaner to do so.

 

@ishan_rulz - I assume what its done is read your cookies. From your cookies it would be able to determine lots of sites youve been to. As each cookie is related to a domain. If your internet settings are not high enough, then I assume it would be able to read stuff quite easily. What browser are you using out of curiosity? I tried to get it to read my history in a virtual machine for IE 7 (by making it a trusted website) and Firefox without any luck. Does Java load by chance when you visit the website?

[camper]

I use FireFox (v3.6.10) as my browser and ccleaner (v2.35.1219) on Windows 7 - 64bit

 

ccleaner was able to clean up enough (or maybe all) of the "evercookie" so that I was assigned a new, different evercookie the next time I visited that site.

 

 

One thing to keep in mind about the evercookie --- flash cookies and regular cookies are limited in that they can be accessed only by the site that created them. evercookie has no such limits. The javascript, regardless of the site from which it is run, will be able to read any evercookie on your disk, regardless of the site that created it. This, in particular, is a gross security breach of past practices in tracking cookies.

[login123]

Hi, Camper. Welcome

 

Scary business. Have any idea why his site doesn't seem to show the actual history for this machine? Is maybe Sandboxie, or Powershadow, a virtualizer like Returnil?

[DennisD]

I honestly wouldn't worry too much about that.

 

Any website has the technology to find where you are coming from when visiting their site, and it's done all the time. They simply use "Referrer Information", which they can access without "interrogating your system". Most sites just don't make a meal of it and publicise it like that.

 

Referrer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or security purposes.

 

http://en.wikipedia.org/wiki/HTTP_referrer

 

I've been on that site for about 20 minutes, and this is as far as the "interrogating" could get because I disabled "Send Referrer Information" in my browser. I think the message displayed there is bulls**t. JMHO of course.

 

 

Using Opera. "Tools\Quick Preferences\Disable 'Send Referrer Information' button".

 

You could disable that feature in your browser permanently, but you would find some sites which will refuse to work properly without it. But not many.

[Andavari]

Using Opera. "Tools\Quick Preferences\Disable 'Send Referrer Information' button".

 

You could disable that feature in your browser permanently, but you would find some sites which will refuse to work properly without it. But not many.

I had Send Referrer off for months in Firefox, but just had to come to the realisation that it messes with some sites not working, ended up having to turn Send Referrer on and wow allot of aggravation has ceased.

[ishan_rulz]

@Login123 - I can confirm what your saying. I just fired up a virtual machine with IE 7 and as soon as I visit that website I get the same thing.

 

I must admit I know very little about this myself and find the thought very scary (I give it 6 months before some advertising network latches on this and starts doing this exact thing). However, this would be the sort of thing CCleaner could defeat unlike most browser's delete your browsing history. Browser clear your caches would most likely not touch the flash LSO's, the silverlight ones either. So it would need some sort of cookie cleaner to do so.

 

@ishan_rulz - I assume what its done is read your cookies. From your cookies it would be able to determine lots of sites youve been to. As each cookie is related to a domain. If your internet settings are not high enough, then I assume it would be able to read stuff quite easily. What browser are you using out of curiosity? I tried to get it to read my history in a virtual machine for IE 7 (by making it a trusted website) and Firefox without any luck. Does Java load by chance when you visit the website?

 

It does know exactly which pages I visited, but after I ran CCleaner it couldn't find anything.

 

Firefox w/ Adblock AND ESET Smart Security 4.

[kroozer]

I had Send Referrer off for months in Firefox, but just had to come to the realisation that it messes with some sites not working, ended up having to turn Send Referrer on and wow allot of aggravation has ceased.

Where is the Send Referrer option located?

[weaselbites]

In Firefox, you can disable the sending of the Referer header completely. Here are the steps:

 

1. Type ?about:config? in the location bar, and press return.

2. In the filter box, type ?referer? and press return. This should leave you with one preference, network.http.sendRefererHeader. This is probably set to 2.

3. Right click on network.http.sendRefererHeader and select ?Modify?

4. In the dialog that appears type ?0″ and press OK:

5. Close the window.

 

 

This blocks all referrers. However, it can cause some websites to break. Alternatively you can get an extension which will do it on a site by site basis.

[DennisD]

I've just tried out a button add-on for Firefox which enables you to change your referrer settings with one click.

 

Sitting on that site gave me the same result as I got with Opera earlier.

 

 

The only problem, as confirmed by Andavari, is that you might be toggling it on and off more often than you'd like.

 

It would be interesting to see how long you can browse with "referrer" set to off, so for those interested, the add-on is here:

 

https://addons.mozilla.org/en-US/firefox/addon/138988/

[Nergal]

Should Probably be mentioned somewhere that probably few, if any, sites have implimented this (Samy is a proof of concept guy, malware writer).

 

also most likley noscript (firefox addon) will soon block these as they do clickfraud (which may be another of Samy's inventions I can't remember)

[login123]

The situation is evolving.

 

I clicked on samy's site again today, Sandboxie and PS running, now no stack warning is given. The site immediately opened about 65 endpoints shown in TCPView, using port 12080, and wouldn't let me shut down IE7. The connection tab kept flickering. Don't even know what all that means, but I don't like it.

 

I think Mr. Kamkar and his site are to be avoided. His felony probation is apparently up, so he can now propagate, but he has gotten his last click from me. I hope.

[Nergal]

CCleaner found at least one of his in dom storage score ccleaner. My Javascript guy only briefly (in a retweet) mentioned samy's evercookie. I may make a google alert once the initial news stories die down later this week

[login123]

It would just be his type of thing I bet to drop an evercookie when you visit his site

 

Yep, guess so, here is what a couple of them look like in the Sandbox. Wonder know how many more there are?

 

 

Edit: guess that wasn't the last click.

[nikki605]

I have used the mvps HOSTS file for quite a while, so I decided to ask them about these cookies. Here is their reply:

 

"EverCookies" are a type of Cookie not an entry ... yes

the majority of 3rd party Cookies are blocked in the HOSTS

file ... however you still need to reset your Cookie settings.

 

You can address this problem by following these instructions:

 

Blocking Unwanted Cookies with Internet Explorer

http://www.mvps.org/winhelp2002/cookies.htm

 

Mike Burgess

Microsoft MVP - Consumer Security

"There's no place like 127.0.0.1"

 

Its interesting that his Blocking Unwanted Cookies link includes a plug for CCleaner.