Evercookie - the cookie you can't kill |
Thursday, 23 September 2010 |
A cookie you can't refuse and once it is stored you can't remove it because every time you think you have deleted it, another part of it just regenerates. It's real and its called evercookie.
Samy Kamkar, a security researcher, has come up with a really good idea and implemented it as a Javascript/PHP framework. Evercookie implements a client-side persistent storage facility using a range of technologies to make it difficult to remove. It also has the ability to repair any damage to any of the replicated cookie data that is deleted. It will also copy cookies from one browser to another if the web page detects just one example of the cookie. Currently evercookie uses standard HTTP cookies, Flash cookies, HTML5 session storage, local storage, global storage and database storage. But as well as just using the available standard local storage methods, evercookie also uses two clever methods of its own. The first uses a PNG file with the cookie data encoded as RGB values. When the user views the page that wants to store the cookie, the PHP code generates a key and encodes this in a PNG file which it then includes in the page. The PNG file is stored on the client in the cache with a request to keep it for 20 years. The next time the client requests the page the PHP file forces the browser to load the image from the cache, by sending a Not modified response, and the Javascript then extracts the cookie data.
The second method uses the web page History maintained by the browser. What happens is that evercookie takes the key and codes it to valid characters. It then accesses a sequence of URLs that end with one, two, three and so on characters of the code - these are stored in the web history. The next time the page is loaded evercookie cycles through the possible URLs for the first character, then the second until it has retrieved the entire cookie code. Simple and elegant. So is evercookie really impossible to remove? No of course not. Especially since its creator has been nice enough to tell us what each of the mechanisms are. In fact, it wouldn't take long to put together an evercookie cleaner utility. Such is the nature of the privacy/security war. One programmer needs to track users so invents a way to do it then another programmer responds on behalf of the user to block the method. It just escalates. What is more interesting, and perhaps worrying, is that any of these methods or similar could already be in use without anyone announcing them.
|
Last Updated ( Thursday, 23 September 2010 ) |