
Evercookie: A cookie that undeletes itself from 8 different storages - codexon
http://samy.pl/evercookie/
======
abyssknight
I'm reading a ton of posts saying how terrible this is, why anyone would do
it, and so on. If you don't know, Samy also created the MySpace worm. OWASP
built a project called Anti-Samy to combat the work he did on the MySpace
worm. He was sentenced to three years probation, 90 days community service and
an undisclosed amount of restitution. I'm pretty sure he knows how terrible it
is, and that's the point. He spoke at Black Hat 2010 USA as well...

"How I Met Your Girlfriend: The discovery and execution of entirely new
classes of attacks executed from the Web in order to meet your girlfriend.
This includes newly discovered attacks including HTML5 client-side XSS
(without XSS hitting the server!), PHP session hijacking and weak random
numbers (accurately guessing PHP session cookies), browser protocol confusion
(turning a browser into an SMTP server), firewall and NAT penetration via
Javascript (turning your router against you), remote iPhone Google Maps
hijacking (iPhone penetration combined with HTTP man-in-the-middle),
extracting extremely accurate geolocation information from a Web browser (not
using IP geolocation), and more."

------
shib71
Once again I am forced to golf clap for a horrifying idea brilliantly
executed.

~~~
Groxx
No kidding. I especially liked:

> _Storing cookies in RGB values of auto-generated, force-cached PNGs using
> HTML5 Canvas tag to read pixels (cookies) back out_

and:

> _Storing cookies in Web History (seriously. see FAQ)_

Brilliant _and EVIL_. Wow.

~~~
nl
_Storing cookies in RGB values of auto-generated, force-cached PNGs using
HTML5 Canvas tag to read pixels (cookies) back out_

That's pretty "nice". It might be possible to "improve" it by storing metadata
inside the PNG, and then reading it by parsing it out of the raw data after
the call to getDataURL().

I haven't tried this though, and it's possible browsers drop the metadata when
they recreate the image. The spec says _A future version of this specification
will probably define other parameters to be passed to toDataURL() to allow
authors to more carefully control compression settings, image metadata, etc._

~~~
nl
Thinking about it a bit more, it's actually worse than that.

<http://www.nihilogic.dk/labs/imageinfo/> shows how to extract EXIF data from
JPEG files, so using EXIF + the cache hack is possible for sure.

<http://www.nihilogic.dk/labs/id3/> shows how to extract ID3 metadata from
MP3s in Javascript, so you could do a similar thing like that.

Can anyone think why just using the cache hack + a JSON data file wouldn't
work?

~~~
mey
It's even worse then that. <http://en.wikipedia.org/wiki/Steganography> That
slightly larger in disk size logo on the main site could be hiding a tracking
token for you....

~~~
nl
It's unlikely they'd use a logo, because of the brittleness of the technique
(ie, it relies on sending 304 Not Modified response due to the absence of the
special tracking cookie, not due to the actual cache status).

Also, it's not clear if you get access to the actual binary data from the
image as it is served, or new data generated from the image as it is displayed
- hence my question as to if using the metadata would work.

------
lukifer
What's truly disturbing is that this absolutely meets a need for a paid gig
I'm working on now, where the client wants persistent identity tracking for
the purposes of marketing and analytics. (I'm part of the problem, aren't I?)

~~~
c1sc0
You're not the only one, the SEO people in my company got onto this
surprisingly quickly. I sometimes feel black (hat) has become the new white:
for whatever reasons companies seem to be more willing to accept the less
ethical sides of doing business on the web. Anyone else notice this or is it
just me?

~~~
flatulent1
This technology clear goes way too far. It might be a good idea to remind
employers of when the state of Texas sued doubleclick for stalking. Knowing
how to do something doesn't mean that you should do it.

There will be some backlash to this sort of thing seen as an increasing number
of surfers stripping back enabled browser functionality.

------
herf
Missed one: ETag with If-None-Match (server roundtrip), similar to RGB
method...

~~~
jrockway
Brilliant.

------
danilocampos
Yet another moment in human history where someone brilliant decided to do
something because they could without asking if they should.

Perhaps one day Samy will look back and reflect that he isn't evil man, though
he has done evil things.

(The thing is I'm not even sure how serious I am. On the one hand, damn,
clever. But on the other hand, I can see some truly miserable privacy issues
at play here.)

~~~
kogir
All of the methods he uses have been known to the web-app security community
for a while. He's simply raising awareness of what's already broken.

Keeping these things quiet helps nobody. We need more privacy and security
issues to be publicly demonstrated so that they'll get fixed instead of
ignored.

As an example, his work exploiting wireless routers to get location is genius.
Who would have thought that having your router's wireless MAC available to
your internal network allows a website to determine your location to within a
few hundred feet? It uses well known and oft ignored attack methods to produce
a sensational result with which everyone can immediately identify.

See: <http://samy.pl/mapxss/>

~~~
danilocampos
Important point. Better to let everyone see the truth of evercookie than let
the bad guys enjoy it in the dark.

Still, with it all packed up so tidily, a few rascals will do something
interesting with it.

~~~
barrybe
Also now that it's packed up so tidily, we'll probably get some better tools
for blocking/removing all of those tricks. Think of it like an Acid3 test for
browser security.

~~~
danilocampos
That's a good perspective. It's my fervent hope someone names their tool
everenema.

~~~
boredguy8
I humbly suggest "Everclear"

~~~
qntm
"Milk"?

------
naturalized
I know that in Chrome's incognito mode, nothing gets written to the disk at
all (including Flash's Shared Objects). So if I open an incognito window,
browse, then close Chrome, then open another incognito window and return to
the page, does this defeat all this?

~~~
atldev
Nope, just tried it. Incognito, cookies there. Clear cache, incognito mode
again and 3 types still captured. Really quite fascinating.

~~~
lukasb
So we need a stateless browser and don't have one.

~~~
c00ki3s
wget or curl come to my mind

------
kungfooey
I think it's appropriate to mention that the New York Times just ran an
article covering some lawsuits related to tracking users:

[http://www.nytimes.com/2010/09/21/technology/21cookie.html?p...](http://www.nytimes.com/2010/09/21/technology/21cookie.html?pagewanted=all)

I think the take-away here is that if you're going to use a trick like this,
it might be in your best interest to be transparent with your users and offer
a way for them to remove all of this information. Of course, if you're using
this particular hack then you probably don't want your users to remove the
cookie to begin with.

------
mike-cardwell
Firefox's BetterPrivacy addon defeats all of these techniques. I just tested
and confirmed this myself.

~~~
mike-cardwell
I also have Firefox clearing all cookies and all history on exit so that
probably helped during my testing. BetterPrivacy dealt with the lso stuff
though.

I don't know why people allow cookies to persist between browser sessions.
I've been clearing them on exit for years now and it really doesn't make it
more difficult to use the Web.

~~~
Retric
I only restart Firefox 1 or 2 times a month. Keeping all those tabs open
really is far more useful than having the same sites bookmarked.

~~~
eru
You can ask Firefox to restore the tabs from the last session. So restarting
becomes cheap. (You can also do this to Chrome and Opera, and probably other
browsers.)

------
swankpot
so now that I visited his page, how to I get rid of his supercookie?

could a grease monkey script automatically clean up the supercookies after
they have been planted?

~~~
tbrownaw
<http://www.dban.org/> (the only way to be sure)

------
Pistos2
Just tried this in Opera. Having never visited the site before, I opened it in
a "New Private Tab". Set Opera to reject all [normal] cookies from that
domain. Saw an ID number on the page; recorded it. Opened another private tab.
Saw a different ID number. Refreshed page; got yet another (different) ID
number. Revisited page within same [private] tab (pressed Enter in address
bar): got yet another (different) ID number. Did the same in Chrome (regular
tabs): saw same behaviour.

Using two different private tabs in Opera, I get two different IDs to start
with, but when using the "click to rediscover" buttons, both allegedly private
tabs [eventually] end up with the same ID.

------
jrmg
What are the privacy laws surrounding conciously cirumventing user intent like
is? Is it legal to use this in the USA? In Europe?

~~~
danielnicollet
for me that the major question here. what are the legal implications since
using this sort of cookie involves a set of hacks that derive the normal use
of various systems for a purpose they were not intended for in the first
place, and since it is intended to defeat some of the privacy protections of
browsers. I am not condemning this clever system but I am curious of the
privacy and other legal issues here...

------
xtacy
So by default, I should be browsing every site in Incognito/private browsing
mode, then.

~~~
phil
Will that defeat Flash storage and the PNG caching trick, too?

~~~
_delirium
On the newest Flash, it looks like Adobe's added specific private-browsing
support. No idea how solid it is, but from
[http://www.adobe.com/devnet/flashplayer/articles/privacy_mod...](http://www.adobe.com/devnet/flashplayer/articles/privacy_mode_fp10_1.html):

"Starting with Flash Player 10.1, Flash Player actively supports the browser's
private browsing mode, managing data in local storage so that it is consistent
with private browsing. So when a private browsing session ends, Flash Player
will automatically clear any corresponding data in local storage."

------
phil
Seems like this will be pretty effective even if widely known, since clearing
one of these 'cookies' will require deleting a lot of info, including some you
were probably using.

You'll be simultaneously clearing history and cache, logging yourself out of
every site you're logged into, clearing all offline state in every web app you
use, etc. Most people won't want to do that often.

------
joshu
samy is a rockstar. also did the myspace worm thing.

------
pavel_lishin
What does it do if instead of deleting cookies, you modify the contents? What
takes precedence?

~~~
eli
If it gets conflicting values, it goes with the one that is stored in the most
places.

------
JeremyHerrman
I feel sick after reading this.

Would a browser extension be able to clear everything?

~~~
skymt
The privacy tools built into all current browsers can clear all but one of
evercookie's storage methods. Specifically, cookies, cache, history & HTML5
storage should all be included in your browser's "clear private data" feature.
Flash cookies are a bit more of a problem: they're in a plugin, so the browser
doesn't know about them. A tool like CCleaner would work, or you could clear
them manually with Adobe's Flash control panel:
[http://www.macromedia.com/support/documentation/en/flashplay...](http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html)

~~~
code_duck
rm -rf ~/.macromedia works pretty well.

~~~
obiterdictum
...followed by ln -s /dev/null ~/.macromedia

~~~
LordLandon
That breaks some things.

i.e. the escapist thinks you're a scraping bot and bans you from viewing their
videos for a week.

------
kuahyeow
This just reinforces the need for NoScript. Neat thing I discovered about
Chrome is that it treats HTML5 storage like normal cookies as well, i.e. you
can easily delete them or block.

------
ck2
In firefox set

    
    
      about:config ->  dom.storage.enabled -> false
    

Use flashblock and also block cookies by default.

The above causes evercookie to fail for me.

No need to block javascript.

~~~
mike-cardwell
Personally, I prefer to allow websites to use those things, but to then clear
them between browser sessions. Just use the Firefox BetterPrivacy addon.

~~~
ck2
I don't know how you work but I keep the browser open 12 hours a day which is
a very long session. During that time they can track you across their network
of sites if you allow those types of storage by default in the first place.

~~~
mike-cardwell
This is true. I do however use AdBlock, Ghostery, Flashblock and NoScript as
well, which should stop the vast majority of that sort of tracking.

------
wildjim
Where's the evercookie-kill script?

~~~
tjarratt
NoScript. No seriously.

------
jorangreef
That's what Charlie Mungur would call a Lollapalooza Effect:
[http://en.wikipedia.org/wiki/Charlie_Munger#Lollapalooza_Eff...](http://en.wikipedia.org/wiki/Charlie_Munger#Lollapalooza_Effect)

~~~
lanstein
Munger. Come on, it's right in the link.

------
redemade
check out <http://www.convertro.com/visitor-tracking.html> . looks like the
analytics guys are already using similar sketchy methods.

~~~
dageroth
Well, it does not say anything about the methods they are using... cross
machine tracking definitely seems somewhat strange and unexplainable to me...

------
barfoomoo
How will the PNG caching work if you have asked your browser to delete all
local files?

------
spyder
It doesn't remember me in Chrome after deleting cache and cookies as i usualy
do.

------
cpg
This is like the equivalent of stem cell work for online privacy, isn't it? ;)

------
ilmare
This is brilliant, now we need someone to write javascript polymorphic engine.

------
johnzabroski
so who wants to team up and create a _N_evercookie plug-in for browsers.

------
uuoc
And this is an excellent example of why I have NoScript installed.

~~~
eli
I'm pretty sure some of those cache abusing techniques could be made to work
without javascript.

------
ilitirit
Someone's probably working on an anti-measure right now.

------
83457
Sure hope everyone got that css history hack fix.

~~~
alanh
Not sure what you mean by ‘got the fix’ — wouldn’t the fix be completely
disabling browser history?

~~~
83457
There was a hack to see what pages someone visited. I see that they actually
link to a page about that. The problem with that approach would seem to be
that it is a cross-domain vulnerability so other domains could detect the
history thus ever-cookie data.

Not sure if they have some other mechanism for preventing this problem. I
actually thought this problem had been resolved in some manner in many
browsers but that doesn't appear to be the case.

------
stevefink
samy is simply one of the brightest minds in our field, period.

------
BenSchaechter
Heh, after a quick look at some of the source code for storing the "cookie" in
the browser history:

// sorry google.

var url = '<http://www.google.com/evercookie/cache/> \+ this.getHost() + '/' +
name;

------
9ec4c12949a4f3
* yawn *

Chrome Incognito mode.

New cookie every F5.

:)

------
hackermom
Why would anyone want to create this monster?!? (I have to admit it's very
well done, though...)

