Browser

Flash Cookies? What are Flash Cookies?

Life as a support pro requires that one be versed in a little bit of everything. Put on your Security hat: there is a new threat to users' privacy.

Life as a support pro requires that one be versed in a little bit of everything. Put on your security hat: there is a new threat to users' privacy.

----------------------------------------------------------------------------------------------------

I have to say up front that I'm not really that fastidious about keeping my browser clean. That doesn't mean that I'm surfing adult sites or anything, I just don't spend a lot of time worrying about cookies or Web advertising.

The idea that companies might be tracking where I go online used to bother me more, I guess, when the idea of monetizing the Internet started to take off a few years ago. Frankly, there are a lot of things available on the Web right now that I can use and enjoy because they are supported by advertising. So, if putting a cookie or two on my browser helps to keep those sites running, I say go right ahead. (I also tend to feel like my browser doesn't perform as reliably when extended with ad-blocker plug-ins, but that's a post for another time.)

A recent Wired article turned me on to a new tool for Web advertising, though -- something I hadn't heard about before, something that I'm less comfortable with. There is a new way to track a user's Web habits, something colloquially known as a Flash Cookie.

Turns out that Web site operators can use Flash applets embedded on their site to write information into a preference file stored on the computer that visits the site. One thing this preference file can be used for is recreating a browser cookie that may have been deleted or storing other tracking information. The idea of using Flash as a means of hiding a tracking cookie on a machine bothers me because it is insidious. There are clear interfaces built into Web browsers for managing regular cookies, and users can delete or reject them as they choose. Flash Cookies are hidden in user libraries and preference files, and to manage them you have to burrow into Adobe's support site to find the applet that will manage the privacy settings for the Flash Player installed on your computer. Did you catch that? To manage the privacy settings of a program installed on your computer, you have to go to an external Web site. That bothers me on a fundamental level. I should be able manage the software on my computer using tools on my computer, without having to go to a vendor's Web site.

Because Flash Cookies use preferences written elsewhere on the computer, they aren't tied to a single browser. I visited the Adobe page containing my Flash privacy settings with 2 different browsers and saw the same list of sites that are storing information on my machine. So, in that way, Flash Cookies are even better than regular browser cookies for advertising use, because they can affect every browser you have installed. A Flash Cookie could identify you to an advertiser, even if you've never visited the site with this specific browser before!

I don't choose to block Web ads, and I don't aggressively delete cookies, but I have users frequently ask me how to do so. People are right to be concerned about their privacy. When people delete cookies, I believe that they should be able to count on them staying deleted and not being recreated from information stored by Flash. If you have clients who are concerned about how their browser usage may be being tracked or who are interested in seeing fewer ads, I believe that you should start including Flash Cookies in your support interactions. I found that my computer was storing more than I had anticipated.

To take a look at the Flash Cookies your computer is storing, click here.

For a more detailed--and technical--discussion of this issue, check out Michael Kassner's excellent post over in the TechRepublic Security blog.

46 comments
HardlyNoticable
HardlyNoticable

Come on guys... wouldn't it be GOOD if your habits were tracked? I mean, if they are going to show you ads anyway (and lets face it, they ARE), wouldn't it be good if the advertisers knew enough about you that they were actually able to show you ads you may actually be INTERESTED in? I mean, I look forward to the day that advertisers know enough about me that they'll never again try to sell me tampons or feminine hygiene products (I'm male) or many of the other utterly inappropriate things that I'm regularly advertised. One of the things that I like about online advertising is that there is the possibility of having ads actually be something USEFUL, that I may actually WANT. As far as I'm concerned, this stuff is all good and I can't wait for it to get better. I wish there was a way that I could opt into some kind of network that analyzed my habits so well that it started anticipating my needs before I even knew I had them. Now THAT would be useful.

f1087
f1087

Many thanks for the info re flash cookies. Very interesting - and a bit scary

timebrat
timebrat

In the facebook and twitter age, it's getting harder and harder to find ways to stay private, if you want to. Do these companies feel we don't want privacy because we'll post everything about ourselves anyway? If they just ask we'll likely tell them what they want to know. We still want to be asked. When did the internet go from a great idea of sharing information (by choice) to nothing more than digital stalking?

JCitizen
JCitizen

but with today's exploit vectors, why take a chance? Advertisements are about 75% of the vectors malware use to get on my machine; or attempt to,that is* ]:)

lazaurus
lazaurus

Personsally, I feel that they are just another "open door" for hackers to exploit. Like so many other "new ideas"; ie: enhancements, introduced over the years, they all "seem" to end up being "addressed" on a 'Patch Tuesday' as another security risk.

johnphodges
johnphodges

Although running ubuntu 9.04, I was alarmed by this report. I checked the Flash Cookie presence and was relieved to find none.

jraz
jraz

I have to agree with William about this. I too don't mind the ads as they keep the interent relatively free. But this is the first time I have heard of this and it anoys me that it hasn't been exposed very much. Why aren't people talikng about this? Can this be used as another way to exploit us via malware?

michaelkolynych
michaelkolynych

Have you any idea of how flash cookies effect performance of the broswer?

Richard Noel
Richard Noel

How am I supposed to manage these settings for all the users on my terminal servers?

KI4QFL
KI4QFL

Access a website , to remove cookies , on your pc. I agree that does not sound like a good idea.

Shergill
Shergill

Thank you, For someone who deletes temp files about 3 times a day, I found a lot of cookies.

williamjones
williamjones

There are tons of ways companies try to gather information about Internet users, and almost as many tools to evade them. What are some of your favorite utilities for protecting your online privacy?

MWRadio
MWRadio

I just went to the Adobe site and used it to clear "all" the "cookies". Then did a search for .sol. I still had at least 15 left, including 5 that belonged to a "jasminelive" that I recognize as a porn webcam website. Now I have never visted that site! I know where it came from though. Ads on the sides of those semi questionable sites hawking free driver downloads. Every once in a while I'll fall into a new one or go to one I had forgotten about while trying to find an obscure driver for an older piece of hardware. Now I'm branded as a porn user just cause an ad appeared on a site I visted! Now I'll be targeted with more of the same! I can be just sitting there browsing an "innocent" website and have this garbage pop up in front of my daughter looking over my shoulder and YOU THINK IT'S A GOOD THING?!! What planet are you from? Also I have noticed a major increase lately, of drive by downloads of stuff like "Antispyware 2010", the latest in the string of fake antiviruses. It used to be that you only got these by shear stupidity. Downloading them when looking for free antivirus. Now they come to you. And I know where too! I have had several users who I trust thier abilities, tell me that attacks by these rogues have appeared when ad banners were changing at the top or sides of thier screens. Just three days ago it happened to me! Behind a Firewall Router! My Antivirus stopped it from doing any damage but the potential was there, I just knew enough to hit Alt+F4 to close the popups instead of clicking close. Someone else would have and they would be then giving that junk permission to do more. One user said his came from a banner for USA Today on his ISP's HOME PAGE! Mine came from a banner selling Fords! You don't think this is a problem?! God I hate flash! But you can't do without it any more. To many of the user interfaces seem to be animated with it these days. I keep my system up to date at all times, Adobe, Microsoft, my Antivirus, all of it... but were just inviting this garbage in just so every picture on a website can move or interact with you. How stupid!

JCitizen
JCitizen

but some other members report their Ubuntu has .sol files. I guess they may have a different version, or used grep to find the files.

JCitizen
JCitizen

the server communications they incite, have caused by browser to lockup, and connections to fail. CCleaner usually gets me through 85% of the time, Adaware's Adwatch is even better, MBAM with real time protection even better; best as far as I'm concerned! Adblock Plus and/or SpywareBlaster speed my surfing up because of add blocking, and many malicious vectors are closed this way too! I do not work for any man or company; I just hate malware to pieces! It is too bad we can't all put up with ads, but with so many bad ad servers out there it is taking a risk to trust them, now days. The crime crackers have pwned many of those ad servers. Plus about 60,000 sites are compromised now also, mostly through flash ads, or adobe reader links.

Michael Kassner
Michael Kassner

The only issue I found was targeted adverts being displayed and if they are more intense than the random ones.

Michael Kassner
Michael Kassner

Did you read my article? http://blogs.techrepublic.com.com/security/?p=2299 I would suggest using BetterPrivacy if you are running Firefox. That's another story, I have most of my clients switched. Also if you are running Microsoft AD, who can setup group policies to prevent writing to the folder where Adobe stores the .sol files, (Flash cookies).

yobtaf
yobtaf

Is that information gathered by these cookies is no doubt sold without my permission. If some corporation wants information about my internet habits, I feel that they should pay me for it. To me this is a form of theft. Excuse me but I meant this to be a separate post and not a reply to the question.

jck
jck

I thought flash cookies were: "At the Motley Crue concert, I saw that girl flash her cookies." ]:) :^0

user support
user support

Using the internet is a convenience like any other service except there is no central authority in control. Cookies, flash cookies, whatever name you use, they need to be accepted to have a seemless experience while browsing. There really isn't much competition in software when you decline a privacy agreement and go in search of another product to use. Due to software constrictions at work we are still on IE6 and very few users clean out the cache, cookies or history which slow down your browsing experience. We are also not allowed to have tools on clients so we install software such as CC Cleaner to clean a machine and remove it. Then we install a competing brand to clean up what CC Cleaner didn't get and then remove the software. At work, I clear the browser files once a week. At home I use Firefox on the Windows Tablet and it is configured to clear all files upon closiing. Still I run Adaware Anniversary Edition everytime an update comes out. Twice a month it finds hidden cookies. I just bought an iMac so I am not sure how to clean the cookies even though Safari says it is configured to do so. Eventually when someone files a class action law suit, Adobe will come around. Since this is American another software manufacturer will create something to take its place. Life is good!

JCitizen
JCitizen

depending on whether you use FireFox or IE8. My issues with cookies and their attendant temp files are many, so I use MBAM to keep the crud off in the first place. I'm not sure Adaware Anniversary Edition's AdWatch will deal with this new irritation. I quit using XP a long time ago. I'll ask my clients how many of these .sol files they are finding with CCleaner(while using Adwatch). I'd bet Piriform's fine utility gets rid of 98% of them with each quick scan.

MartyL
MartyL

I didn't read all the posts - I just want to be sure this information is available. There was an article a few days ago on another site - Wired, maybe - that described where to find the .sol files. They appear, give or take a subfolder, at c:\documents and settings\username\application data\macromedia\flash player\#sharedobjects\ABCDEFGH\*. Where ABCDEFGH is an eigh-character string and *. indicates subfolders. Delete all the subfolders. I found additional files in another set of subfolders at c:\documents and settings\username\application data\macromedia\flash player\macromedia.com\support\flashplayer\sys\#*. Where #*. is a subfolder whose name begins with #. Delete those, too.

JCitizen
JCitizen

the advertisers better clean up their act first, before I let 'em in my computer. Ad Block Plus keeps almost all of them out of my FireFox sessions, and MVPS keeps them out of my Internet Explorer sessions. Until then, that's the way I run. I haven't had a script, .bat attack, or flash drive by for what seems like forever!

bboyd
bboyd

Also can flash write them to other file type or append a file with them like a virus. Wish i could conveniently do without flash or any adobe product given their history. Any alternate flash players that i can use to unleash myself from Adobe. When a agency like Homeland security issues warnings on your software its time to eliminate any level of trust. I've go over to Foxit for readers for exactly the same reason. My software should not phone home to report on me.

aijayes
aijayes

I looked at the Flash Cookies I had, and one is from my bank. My bank has an "extra security feature" which writes a file to your hard drive (which I knew). And if I try to access my account from a computer that does not have that file, I have to go through extra steps to prove who I am. It's not always an evil thing...

nospam.online
nospam.online

Your correct, Internet user's information is constantly taken without your permission and knowledge and in many case's it's re-sold to others for money or stored where someone else can get it later. Sadly, all too many feel that this is all just part of the world doing business so they don?t stand up to it and others feel it's "too big to fail" so they never act to stop it. Yet, many of ranted over GWBush listening to phone calls and call for action. Go figure.... I feel this should be a basic part of a internet user's Bill of Rights" (call it privacy of ownership) and any violation of it should cost $ per occurrence like violations of the FDCPA. The US law use to be based on this and it helped keep some people doing business "legally" but now they buy the government, it changes the laws in there favor and we live as best we can day to day as the right to defend ourselves from such actions are being taken by this Obama administration. Same point on Spam emails and phone calls....

JCitizen
JCitizen

with CCleaner. The newest version gets rid of almost all of the cookie files. It won't help with documents or shareware utilities that hold them though, unless they reside in a temp folder or one of the places CCleaner cleans up. It scans so fast, it is well worth using. It is a free utility, but I give 'em a few bucks with paypal once and a while.Donations are definitely worth it with this one. MBAM will keep the nasty ones off automatically if you don't mind the cheap LIFETIME license!

pdx-man
pdx-man

The irony of all this is: 1. One has to log in to Tech Republic (likely with a cookie set) to post & comment on this forum. 2. To send comments to Adobe, one must log in with one's user name, then implicitly agree to the terms of use and "privacy" policy... 3. Finally, good luck finding a form, e-mail address or anything else at Adobe where one can send a REAL complaint. 4. Overall, we are missing the big picture: In other words, our "right to privacy" needs to be legally codified and iron clad. In short, a Constitutional ammendment stating that each individual explicitly owns their respective personal information and data and all access and use thereof, and that any access, disemination and/or use without specific written consent of the individual is strictly prohibited.

Zeppo9191
Zeppo9191

I also took the opportunity to complain about their Download Manager and the terrible instability of Adobe Reader. Not that I expect it to do any good, but I somehow feel better for having made the noise.

JCitizen
JCitizen

it has a host file but AdBlock takes precedence. It uses no resources and blocks Active X components common to many web page attacks. With even reputable sites cracked now days, I say that is pretty good! I buy the auto-update for 10 bucks a year, so it gives me a leg up on threats. It works for both FF and IE. It only uses registry tricks to kill bad Active X but the good anti-malware programs don't report these. Good active x is not a problem.

MWRadio
MWRadio

Hey. Thanks for the reply. I'll have to look into those add ons. Always looking for more ways to protect my customers. I hadn't had anything assault me in three years when this one hit. I was a little startled when it hit my first customer because he was using almost the exact same setup as I use (I set that machine up personally) and I thought I was fairly secure. Just goes to show you can't get too complacent just because everything is going swimmingly! Recently swiched over to FF3.6 for both of us (had been using IE6 and I hate IE7 & 8).

JCitizen
JCitizen

is capable of sending screen shots within the limits of your camera resolution. Also, if you have something like Skype on board; they can send real time video to the cracker. This would not noticeably impact your connection speed if you had good bandwidth, and enough RAM/CPU power. I use Prevx to prevent this, but there may be other low kernel layer preventative solutions out there. User reviews at CNET are a good acid test when looking for alternatives.

Michael Kassner
Michael Kassner

Thank you for the links. As for the camera, I am not quite sure what you mean. If you are referring to whether the image taken by the web camera is as good as what you see on the screen, it depends on the quality of the camera. I would not consider it to be as good, especially if you resize the image to be full screen.

cewcathar
cewcathar

http://internet-security.suite101.com/article.cfm/your-computer-cookie-jar--the-low-down-part-one and http://internet-security.suite101.com/article.cfm/your-computer-cookie-jar--the-low-down-part-two in the latter I do not really discuss flash cookies since these are new to me. However, I want to tell readers how they can get rid of these too! Yours is the best information I've found; some URL's I do not want to send people to but techrepublic.com and wired.com I generally trust. Do I have permission to post a link to you. (I feel sort of strange posting these here; I do not want to be that farmous.) I still have a question about the webcam: will the quality be that good when I cannot see myself, when my pixels are being used otherwise, to display an online page to me for example? Thanks, and regards, --C. E. Whitehead

Michael Kassner
Michael Kassner

Could you give us the link to your work? As for the web camera, I suspect it would be used for other purposes. Screen shots and recording key strokes can be easily accomplished with other types of malware such as key loggers. I think that the web camera and microphone would be used to spy on the physical surroundings or what is being said in the room.

cewcathar
cewcathar

Hi. This is a very nice article/blog and I may link to it from my own article on cookies (at another site) if that's o.k. with you. Flash cookies are bad largely because of size -- on a mini this is bad in my opinion. I do have a question -- perhaps this should be another thread. If a site accesses my camera, what can it get? A screen shot? Or what? (I do sometimes when I am typing under an awning in the rain -- which is rare -- fold my laptop almost together so that the screen and keyboards are more protected from mist; it's a difficult typing position but one I can do. Is an image of my keyboard accessible? (I always assume that if I do not see an image in the screen of my laptop that there is not much that is readable that can be sent over the camera -- but I do not know.) Best, C. E. Whitehead

JCitizen
JCitizen

but CCleaner finds most of the ones that matter. I'm not sure AdAware blocks them, but MBAM blocks the misbehaving signals. AdWatch is still free for now, but MBAMs real time protection has a cheap lifetime license. I've never had a conflict with any anti-virus so far! (edited) for terminology accuracy.

guineapig
guineapig

Yes, I choose to browse, just like I choose to browse the merchandise in a store, or read the menu in a restaurant. However, in doing that, I do not 'choose' to allow a photo of me shopping or eating to be passed around town so that the business can get more business.

swampcat
swampcat

The costs of websites are part of doing business, or providing services. The costs are. like any other legitimate venture, expected to be derived from legitimate practices. When you embed anything hidden on anyones computer, and without consent, or knowledge, that's borderline criminal to me. The fact that some people don't care, or aren't concerned, doesn't make it ok for everyone else. I don't think you would like a business bugging your phone line to collect your calling activity..Same thing.

blarman
blarman

If they want to promote the number of hits they get (for which they need a unique IP and browser), I don't have a problem. I do have a problem with them taking my name, address, email, etc. and using that without my permission or knowledge. There are a lot of ways to make money. Selling someone's personal information without their consent is not on my list of ethical/acceptable ones.

shaunad
shaunad

Although I have to agree that I don't like the concept of my browsing habits being watched and the data sold, I understand that the websites I visit need to support the cost of making that website available to me. I don't feel it is robbery. We choose to browse. If websites didn't use these tools to make revenue, there would be a lot of sites that would become "members only" and we would have to start forking over real dollars to get the information that is currently made available at the almost invisible cost of the site installing a cookie. --Hey, I can delete cookies--but I can't get my pennies back once I've spent them. . .