I'm reading a ton of posts saying how terrible this is, why anyone would do it, and so on. If you don't know, Samy also created the MySpace worm. OWASP built a project called Anti-Samy to combat the work he did on the MySpace worm. He was sentenced to three years probation, 90 days community service and an undisclosed amount of restitution. I'm pretty sure he knows how terrible it is, and that's the point. He spoke at Black Hat 2010 USA as well...
"How I Met Your Girlfriend: The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more."
What's truly disturbing is that this absolutely meets a need for a paid gig I'm working on now, where the client wants persistent identity tracking for the purposes of marketing and analytics. (I'm part of the problem, aren't I?)
You're not the only one, the SEO people in my company got onto this surprisingly quickly. I sometimes feel black (hat) has become the new white: for whatever reasons companies seem to be more willing to accept the less ethical sides of doing business on the web. Anyone else notice this or is it just me?
It totally meets a need I have, too for storing user data on a site that doesn't have accounts. Really, just a couple of numeric IDs that people actually WANT to store.
Nothing evil about it in the slightest. We store it in cookies, people lose them right and left and then are all confused about it. I could use Flash myself, but really, this sounds like a great system.
Now, playing devil's advocate and judging by the number of upvotes this comment got -- couldn't the idea behind evercookie be used for good and not evil in some instances?
I'm curious more than anything else. For example, using this persistent cookie as an alternative to having users login?
Yet another moment in human history where someone brilliant decided to do something because they could without asking if they should.
Perhaps one day Samy will look back and reflect that he isn't evil man, though he has done evil things.
(The thing is I'm not even sure how serious I am. On the one hand, damn, clever. But on the other hand, I can see some truly miserable privacy issues at play here.)
All of the methods he uses have been known to the web-app security community for a while. He's simply raising awareness of what's already broken.
Keeping these things quiet helps nobody. We need more privacy and security issues to be publicly demonstrated so that they'll get fixed instead of ignored.
As an example, his work exploiting wireless routers to get location is genius. Who would have thought that having your router's wireless MAC available to your internal network allows a website to determine your location to within a few hundred feet? It uses well known and oft ignored attack methods to produce a sensational result with which everyone can immediately identify.
It's not evil. It just shows that "Clear cookies" button is no longer an effective privacy tool.
Browser vendors are aware of this already and working to make evercookie no worse than regular cookie, e.g. Mozilla blocked reading of visited link history, Chrome privacy window has link to Flash LSO controls. All vendors are working towards making it better integrated and more effective against all "evercookies".
I know that in Chrome's incognito mode, nothing gets written to the disk at all (including Flash's Shared Objects). So if I open an incognito window, browse, then close Chrome, then open another incognito window and return to the page, does this defeat all this?
Why doesn't anyone try this? I did, and it seems that incognito mode does defeat this. However, since this always sets the same cookie, I couldn't tell if it read it or set it. From the looks of things, it only read the cookie, which means that closing incognito mode deletes it.
I think the take-away here is that if you're going to use a trick like this, it might be in your best interest to be transparent with your users and offer a way for them to remove all of this information. Of course, if you're using this particular hack then you probably don't want your users to remove the cookie to begin with.
I also have Firefox clearing all cookies and all history on exit so that probably helped during my testing. BetterPrivacy dealt with the lso stuff though.
I don't know why people allow cookies to persist between browser sessions. I've been clearing them on exit for years now and it really doesn't make it more difficult to use the Web.
Good Q. In Chrome, you can add a block action under the 'Exceptions' list. You can add blocks for Cookies(includes HTML5 storage), Javascript, and Images (shudder).
Before you do that though, have a look at what info is stored under samy.pl. Nice to see Chrome list HTML5 storage and cookies etc in one place.
* I'm not sure whether the above is really effective.
* Repeating this for N sites that uses this is going to be fun. There's always the whitelisting approach, which is available in Chrome too.
Just tried this in Opera. Having never visited the site before, I opened it in a "New Private Tab". Set Opera to reject all [normal] cookies from that domain. Saw an ID number on the page; recorded it. Opened another private tab. Saw a different ID number. Refreshed page; got yet another (different) ID number. Revisited page within same [private] tab (pressed Enter in address bar): got yet another (different) ID number. Did the same in Chrome (regular tabs): saw same behaviour.
Using two different private tabs in Opera, I get two different IDs to start with, but when using the "click to rediscover" buttons, both allegedly private tabs [eventually] end up with the same ID.
for me that the major question here. what are the legal implications since using this sort of cookie involves a set of hacks that derive the normal use of various systems for a purpose they were not intended for in the first place, and since it is intended to defeat some of the privacy protections of browsers. I am not condemning this clever system but I am curious of the privacy and other legal issues here...
Seems like this will be pretty effective even if widely known, since clearing one of these 'cookies' will require deleting a lot of info, including some you were probably using.
You'll be simultaneously clearing history and cache, logging yourself out of every site you're logged into, clearing all offline state in every web app you use, etc. Most people won't want to do that often.
The privacy tools built into all current browsers can clear all but one of evercookie's storage methods. Specifically, cookies, cache, history & HTML5 storage should all be included in your browser's "clear private data" feature. Flash cookies are a bit more of a problem: they're in a plugin, so the browser doesn't know about them. A tool like CCleaner would work, or you could clear them manually with Adobe's Flash control panel: http://www.macromedia.com/support/documentation/en/flashplay...
Flash Cookies: I imagine that if he can create them, then you can remove them, though I'm doubtful that extensions have full access to Flash internals.
HTML5 Storage: I'm not an expert on the different types of HTML5 storage, though since this is at the browser-level, I imagine the it would be easy for an extension to access them.
Regular Cookies: Obviously extensions have access to these.
Force-Cached PNGs: Not sure what access extensions have, though I imagine that Firefox extensions have a higher likelihood of access than Chrome/Chromium extensions. This is also hard to detect automatically though, unless you want to take the NoScript route and block all force-cached images unless they meet a whitelist.
Web History: Extensions obviously have access to web history, though this is something that would vary from implementation to implementation of evercookie, so it would be fighting an endless battle, like spam email filters. The best fix here would be to close the css history hack hole.
This just reinforces the need for NoScript. Neat thing I discovered about Chrome is that it treats HTML5 storage like normal cookies as well, i.e. you can easily delete them or block.
[+] [-] abyssknight|15 years ago|reply
"How I Met Your Girlfriend: The discovery and execution of entirely new classes of attacks executed from the Web in order to meet your girlfriend. This includes newly discovered attacks including HTML5 client-side XSS (without XSS hitting the server!), PHP session hijacking and weak random numbers (accurately guessing PHP session cookies), browser protocol confusion (turning a browser into an SMTP server), firewall and NAT penetration via Javascript (turning your router against you), remote iPhone Google Maps hijacking (iPhone penetration combined with HTTP man-in-the-middle), extracting extremely accurate geolocation information from a Web browser (not using IP geolocation), and more."
[+] [-] shib71|15 years ago|reply
[+] [-] Groxx|15 years ago|reply
>Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
and:
>Storing cookies in Web History (seriously. see FAQ)
Brilliant and EVIL. Wow.
[+] [-] points|15 years ago|reply
If all you want to do is track users, it's far easier to use UserAgent/screensize/plugins/etc to uniquely identify users.
https://panopticlick.eff.org/
You can then store anything heavier server side.
[+] [-] VMG|15 years ago|reply
[+] [-] lukifer|15 years ago|reply
[+] [-] c1sc0|15 years ago|reply
[+] [-] code_duck|15 years ago|reply
Nothing evil about it in the slightest. We store it in cookies, people lose them right and left and then are all confused about it. I could use Flash myself, but really, this sounds like a great system.
[+] [-] BenSchaechter|15 years ago|reply
I'm curious more than anything else. For example, using this persistent cookie as an alternative to having users login?
[+] [-] BenSchaechter|15 years ago|reply
// sorry google.
var url = 'http://www.google.com/evercookie/cache/ + this.getHost() + '/' + name;
[+] [-] herf|15 years ago|reply
[+] [-] jrockway|15 years ago|reply
[+] [-] danilocampos|15 years ago|reply
Perhaps one day Samy will look back and reflect that he isn't evil man, though he has done evil things.
(The thing is I'm not even sure how serious I am. On the one hand, damn, clever. But on the other hand, I can see some truly miserable privacy issues at play here.)
[+] [-] kogir|15 years ago|reply
Keeping these things quiet helps nobody. We need more privacy and security issues to be publicly demonstrated so that they'll get fixed instead of ignored.
As an example, his work exploiting wireless routers to get location is genius. Who would have thought that having your router's wireless MAC available to your internal network allows a website to determine your location to within a few hundred feet? It uses well known and oft ignored attack methods to produce a sensational result with which everyone can immediately identify.
See: http://samy.pl/mapxss/
[+] [-] pornel|15 years ago|reply
Browser vendors are aware of this already and working to make evercookie no worse than regular cookie, e.g. Mozilla blocked reading of visited link history, Chrome privacy window has link to Flash LSO controls. All vendors are working towards making it better integrated and more effective against all "evercookies".
[+] [-] naturalized|15 years ago|reply
[+] [-] atldev|15 years ago|reply
[+] [-] StavrosK|15 years ago|reply
[+] [-] sireat|15 years ago|reply
Will have to repeat this experiment with the current version.
[+] [-] kungfooey|15 years ago|reply
http://www.nytimes.com/2010/09/21/technology/21cookie.html?p...
I think the take-away here is that if you're going to use a trick like this, it might be in your best interest to be transparent with your users and offer a way for them to remove all of this information. Of course, if you're using this particular hack then you probably don't want your users to remove the cookie to begin with.
[+] [-] mike-cardwell|15 years ago|reply
[+] [-] mike-cardwell|15 years ago|reply
I don't know why people allow cookies to persist between browser sessions. I've been clearing them on exit for years now and it really doesn't make it more difficult to use the Web.
[+] [-] mike463|15 years ago|reply
[+] [-] swankpot|15 years ago|reply
could a grease monkey script automatically clean up the supercookies after they have been planted?
[+] [-] tbrownaw|15 years ago|reply
[+] [-] kuahyeow|15 years ago|reply
Before you do that though, have a look at what info is stored under samy.pl. Nice to see Chrome list HTML5 storage and cookies etc in one place.
* I'm not sure whether the above is really effective. * Repeating this for N sites that uses this is going to be fun. There's always the whitelisting approach, which is available in Chrome too.
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] Pistos2|15 years ago|reply
Using two different private tabs in Opera, I get two different IDs to start with, but when using the "click to rediscover" buttons, both allegedly private tabs [eventually] end up with the same ID.
[+] [-] jrmg|15 years ago|reply
[+] [-] danielnicollet|15 years ago|reply
[+] [-] xtacy|15 years ago|reply
[+] [-] phil|15 years ago|reply
[+] [-] phil|15 years ago|reply
You'll be simultaneously clearing history and cache, logging yourself out of every site you're logged into, clearing all offline state in every web app you use, etc. Most people won't want to do that often.
[+] [-] piguy314|15 years ago|reply
[deleted]
[+] [-] joshu|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] pavel_lishin|15 years ago|reply
[+] [-] eli|15 years ago|reply
[+] [-] JeremyHerrman|15 years ago|reply
Would a browser extension be able to clear everything?
[+] [-] skymt|15 years ago|reply
[+] [-] pyre|15 years ago|reply
HTML5 Storage: I'm not an expert on the different types of HTML5 storage, though since this is at the browser-level, I imagine the it would be easy for an extension to access them.
Regular Cookies: Obviously extensions have access to these.
Force-Cached PNGs: Not sure what access extensions have, though I imagine that Firefox extensions have a higher likelihood of access than Chrome/Chromium extensions. This is also hard to detect automatically though, unless you want to take the NoScript route and block all force-cached images unless they meet a whitelist.
Web History: Extensions obviously have access to web history, though this is something that would vary from implementation to implementation of evercookie, so it would be fighting an endless battle, like spam email filters. The best fix here would be to close the css history hack hole.
[+] [-] kuahyeow|15 years ago|reply
[+] [-] ck2|15 years ago|reply
The above causes evercookie to fail for me.
No need to block javascript.
[+] [-] mike-cardwell|15 years ago|reply
[+] [-] unknown|15 years ago|reply
[deleted]