The next front in the cookie wars: Fighting the Evercookie

Web-browser cookies, you either love or hate them. There is no in between. Well, get ready to be either more in love or more upset.

Like most technical aspects of the Internet, cookies seemed to make sense when they were first introduced. In some regards, they're still useful. But, there's a dark side. Cookies can be used to track our movement on the Internet and many say, that's not right.

What exactly is a cookie?

Technically, a cookie is a benign piece of text originating at the web server and sent to the web browser, where it is stored in preparation for the user's next visit. Cookies can be used to automate web site authentication, retain web site preferences, shopping choices, or other bits of information intended to facilitate the visitor's experience.

There are two types of HTTP cookies. First-party cookies are sent from the web server listed the address bar. Third-party cookies arrive from different web servers usually serving ads on the displayed web page.

Not being associated with the currently-displayed domain, third-party cookies allow advertisers to compile an online history of users. The ad companies then use behavioral targeting to serve directed ads. This is where it gets complicated. Do you allow your movements on the Internet to be tracked, just to get ads that are better-suited for you?

Removal options

In an on-going struggle, advertisers develop evermore-persistent cookies. Then, security experts devise new ways to prevent cookies from being installed. Each web browser has its own way of handling cookies. Check the web-browser options or preferences tab. Privacy pundits suggest at least disallowing third-party cookies.

Last year, a new type of cookie was quietly introduced. It's officially called the Local Shared Object (LSO), commonly called a Flash cookie. More persistent than HTTP cookies, it requires additional-web browser extensions to remove.

The cookie war continues

For the most part, users control what cookies are installed. That's about to change. While researching an article, I came across Samy Kamkar's (@samykamkar) web site, Evercookie--never forget. The title grabbed my attention. What is an Evercookie? Here is Mr. Kamkar's description:

"Evercookie is a JavaScript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies, and others."

Here we go again.

In-depth analysis

If the name Samy Kamkar sounds familiar, it's because he is best known for the Samy worm, the first XSS worm, infecting over one million users on MySpace in less than 24 hours. Currently, he's an independent security researcher and co-founder of Fonality Inc., an IP PBX company.

Not being an expert when it comes to how web-browsers interact with cookies, I thought it best to ask Mr. Kamkar to help explain Evercookie:

TechRepublic: What is an Evercookie and why did you develop it? Samy Kamkar: Evercookie is a Javascript API that allows storing cookie data in a number of different locations when a user visits a web page. Normal sites would typically just store data (such as a session identifier) in something like a cookie.

However, Evercookie not only uses the cookie, but a number of other locations such as Flash cookies, Silverlight isolated storage, and various locations of HTML5 storage. When a user deletes their standard cookies, the other locations remain and are able to rebuild the original cookie.

I built Evercookie as a proof of concept, wanting to show how web sites are able to track users even if they delete standard cookies and LSOs. Evercookie also sheds light on the fact that there are numerous methods for storing cookies locally. Finally, Evercookie acts as a litmus test for users who want to see if they're protected from web sites that track like this. TechRepublic: Several experts have commented that the following two storage methods are brilliantly devious.
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History

Could you explain what they are and why the experts feel that way?

Samy Kamkar: Storing cookies in the PNG image is interesting, since an image is really just data. The data you want to store gets converted to color values. The color values are strung together in an image to produce a PNG file.

Evercookie then tells the browser to store that image for 30 years in its cache. When the user returns to the site, the image is accessed via cache and the page then reads each pixel of the image, extracting the colors from each pixel. The colors are converted back to text which produces the original cookie data.

Storing cookies in web history uses an interesting feature of web browsers.

Let's assume the cookie data we want to store is "bcde". Evercookie then accesses the following URLs in the background:


These URLs are now stored in the browser's history. When checking for a cookie, Evercookie loops through all the possible characters on, starting with "a" and moving up, but only for a single character.

Once it sees a URL that was accessed because it's in the browser's history, it attempts to brute force the next letter. This process occurs extremely fast because no requests are made to the server in question. Evercookie knows it has reached the end of the string as soon as it finds a URL that ends in "-".

TechRepublic: Is the installation process automated or does the user have to initiate it? Samy Kamkar: No, the client simply visits the web site. There is no indication that persistent data is being set, exactly like a website with standard HTTP cookies. TechRepublic: Each version of web browser has a method to surf privately. Does that prevent Evercookie from storing a cookie in any of the locations you have chosen to use? Samy Kamkar: Most private-browsing features of web browsers stop almost all features of Evercookie. The problem is it only requires one location to remain for the Evercookie to keep its tab on the user. Hopefully, these features will improve in future versions and prevent all of these storage methods. TechRepublic: Can Evercookie be defeated by disabling JavaScript or using an application like NoScript? Samy Kamkar: Yes, NoScript or turning off JavaScript will prevent the Evercookie from being created. TechRepublic: I use more than one web browser, does the Evercookie work if I switch to a different one after receiving the Evercookie? Samy Kamkar: If a user gets cookied on one browser and switches to another browser, as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers. TechRepublic: You mentioned Local Shared Objects (LSO). Do extensions like FlashBlock, CCleaner, or Adobe's Website Storage Settings panel remove Evercookie's version of LSO? Samy Kamkar: While those will stop the LSO, it will not prevent any other methods of storage, and it only takes one storage mechanism to allow full tracking. TechRepublic: I have read a few comments from developers that the Evercookie is exactly what some of their clients want. Do you know if this is still a Proof of Concept or actually being used? Samy Kamkar: I don't know if Evercookie itself is being used, but I know companies have already employed similar, yet less powerful software to do this. TechRepublic: You have an interesting motto, "Think bad, Do good". Could you explain what you mean? Samy Kamkar: I simply believe the best way to protect ourselves is to understand how we can be exploited in the first place. TechRepublic: You also have been quoted as saying (Courtesy of Ars Technica):

"I hope Evercookie simply demonstrates to people what types of methods are being employed to track them and to decide whether or not they want to prevent those methods. Evercookie took less than a day to create for me as a security hobbyist, so I can only imagine the technology that funded developers is producing."

What are your thoughts about the pending lawsuits related to cookies and their ability to track online travels?

Samy Kamkar: I'm not sure it's enough of an issue that lawsuits are necessary, but I do believe users should have the full right to prevent any web site from tracking them. I also believe the web browser should make it extremely easy for a user to prevent this sort of tracking. However, no web browser currently makes it easy to do. I'm hoping Evercookie can spawn some new features that will make it easy to prevent Evercookie-like tracking.

Removing the Evercookie

Mr. Kamkar was correct. I found two researchers who have developed methods to remove Evercookies. Jeremiah Grossman founder and CTO of WhiteHat Security has written a blog showing how to remove the Evercookie from Chrome and Firefox. Dominic White a security consultant working for SensePost has written a tool for removing Evercookies from Safari.

I asked Mr. Kamkar if these were indeed solutions:

"It appears they provide information on how to remove the Evercookie. It's just such a cumbersome and difficult process that the typical user would not make use of them."

Final thoughts

The cookie war is far from over. It appears that standard prevention practices are insufficient, due to the new locations cookies can be hidden. The only for-sure solution is to disable JavaScript to prevent the setting of an Evercookie.

A special thanks to Mr. Kamkar -- I asked a lot of questions.