Flash Cookies and Countermeasures


This article was published by ComputorEdge, issue #2818, 2010-04-30, as a feature article, in both their PDF edition (on pages 16-23) and their website.

Most computer users are familiar with the concept of a browser cookie, which sadly has nothing to do with raisins or chocolate chips, but instead is a piece of data that a website can have your browser store on your computer. For instance, when you login to one of your favorite websites, and you click the checkbox to have the site remember your username in the future (so you don't have to type it in every time you visit), then that functionality is provided using a cookie. Specifically, the site's code will request that your Web browser store your username on your hard drive, labeled with the site's address, so it can look it up each time in the future that you visit the site.

Each cookie is a set of one or more name-value pairs. An example of this is Google storing various information in a cookie (under the site name "google.com"); within that is a name "GAUSER" associated with a value that contains your Gmail username.

Where cookies are saved on your computer, depends upon what browser you are using. For Internet Explorer, each cookie is saved in a separate text file, in a folder such as C:\Documents and Settings\Lisa\Cookies, where "Lisa" is the Windows account name for the current user. Lisa's Gmail information might be stored in a file named lisa@google[1].txt. For Mozilla Firefox, all of the regular cookies are saved in a single text file, appropriately named cookies.txt, and located in the folder C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\nm7rst5w.default, where the string "nm7rst5w" could be any random value (for security reasons). Other browsers naturally have their own storage and naming schemes.

Because cookies are oftentimes utilized for saving usernames and other security-related data, they have been a constant source of concern to website owners and security experts, ever since they were first proposed and implemented at the dawn of the Web era. Privacy (or the lack thereof) has also been a major concern with cookies. They can be written to your hard drive without your knowledge. Browsers can usually store hundreds of them, and each one can contain four kilobytes of your personal information. To a certain extent, cookies can be used to track your movements on the Web, without your consent. More importantly, they can also be the target of various security attacks, such as cookie hijacking. Fortunately, all decent browsers allow you to delete cookies individually or en masse, as well as limiting which websites can store cookies on your computer, if any.

There is, however, a similar type of data that some argue may be an even greater security threat: so-called Adobe Flash cookies. These are chunks of data that are not stored by the browser within its conventional cookies system, but rather are stored and controlled by Flash Player. They are seen by many as especially problematic because they cannot be controlled or deleted by your browser, are subject to all of the security vulnerabilities that apply to browser cookies, can store far more information than browser cookies, can be more difficult to find on one's hard drive, and are generally less understood by the typical Internet user.

A note on terminology: Even though the phrase "Flash cookies" is widely understood and used, these Flash objects are not technically browser cookies, since they are not stored by the browser. But for most computer users, the term "Flash cookies" is far more meaningful than the unwieldy "Flash Local Shared Objects" (which could be a source of off-color jokes) or "Flash LSOs" (which sounds like something describing flying saucers).

So if you decide that these are just as much a potential privacy headache as regular cookies, how do you clean them from your computer system? We will look at three different methods, focusing on procedures for PCs running Microsoft Windows.

From the Source

Because Flash Player is the browser plug-in that creates these objects in the first place, one would hope that the company that invented Flash, Macromedia (now owned by Adobe), has provided guidance and/or a free utility for managing these objects. There is a Web page on the Adobe site that provides every visitor with their Flash Player Settings Manager. The Manager contains six panels: four for global settings (privacy, storage, security, and notifications) and two for website privacy and storage. That last one, the Website Storage Settings Panel, lists the Web addresses of all of the sites that have stored flash cookies on your computer.

Website Storage Settings Panel
Figure 1. Website Storage Settings Panel

For each website, you can see how much space has been used and the maximum allowed. You can change the latter value using the slider, from "None" at the far left, to "Unlimited" at the far right. There are also two buttons, for deleting the currently selected site, or deleting all of them — which is what you would want to choose to clean out all of the flash cookies currently on your system, to prevent those sites from accessing that data again.

To get an idea as to just how insidious these Flash cookies can be, consider the first four websites shown in the figure above. I have never visited any of those four, and yet all of them are listed as being visited, and have tried to store a Flash cookie on my PC. The one in the first slot, www.yikers.com, apparently succeeded in storing one kilobyte of data on my hard drive, completely unbidden. How they managed to do that is anyone's guess. Every reader is encouraged to visit that Adobe page, at the risk of being equally shocked by the number and nature of sites storing — or at least trying to store — Flash cookies on one's computer.

Unfortunately, the Website Storage Settings Panel suffers from a horrendous interface — particularly the tiny list box, which displays only four websites at a time and cannot be resized. In fact, when there are hundreds of sites listed, the scrollbar elevator icon is so small as to be unusable (assuming it even exists). One is unable to limit the sites listed using selective editing, which is a nice feature found in a growing number of dialog boxes and AJAX-powered Web pages. The Flash Player Settings Manager is perhaps best utilized as a textbook example of how not to design an interface.

"Nuke the Entire Site[s] from Orbit"

Even though Flash cookies may be far less nasty than the creatures in the movie Aliens, by the time you have discovered how many Flash cookies are on your system uninvited, and how unusable is Adobe's panel, you will probably be anxious for more drastic solutions. There are innumerable computer security and cleanup applications available that can delete Flash cookies, but perhaps the all-time favorite is CCleaner, a utility developed by Piriform. The vendor's website describes it well: "CCleaner is a freeware system optimization, privacy and cleaning tool. It removes unused files from your system — allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner. But the best part is that it's fast..."

CCleaner main page
Figure 2. CCleaner main page

The site's main page has links for viewing a quick tour, and for downloading the utility. The installation process is simple and straightforward, and the default options should work fine for most users, although in the "Install Options" dialog box, you probably will want to disable the option — the last one on the list — to have the CCleaner Yahoo Toolbar added to your Internet Explorer, since there is no advantage to running it from your browser, and it would consume space in IE's interface. Note that the CCleaner installer vaguely refers to it as "your browser", which could be confusing to people who have (wisely) abandoned Microsoft's browser for a safer and more capable one (which includes just about all of them).

CCleaner interface Windows panel
Figure 3. CCleaner interface Windows panel

The Windows panel, which is the default, allows you to specify what types of data you want cleaned from your system — organized into four categories: Internet Explorer, Windows Explorer, operating system, and advanced options. Once you have confirmed your choices, click the Analyze button to see how much data will be removed from your computer. If you need to close any applications that are currently tying up candidates files, then CCleaner will prompt you, and you won't be forced to restart the analyzing process.

CCleaner Windows analysis complete
Figure 4. CCleaner Windows analysis complete

If the analysis report does not list any data that you would not want removed, then click the Run Cleaner button. You will be asked to confirm the process, and then it will do the cleaning, usually in a matter of seconds.

CCleaner interface Applications panel
Figure 5. CCleaner interface Applications panel

In the Applications panel, to remove any Flash cookies, make sure that in the Multimedia section, the first option is checked. Then do the analysis and cleaning procedure just as you did for the Windows panel.

CCleaner appears to be an excellent choice for cleaning the cruft out of any Windows installation. Perhaps the only obvious way that it could be improved, would be for each of the 52 checkbox labels to have a tooltip (displayed on mouse hover) that summarizes what types of files the particular checkbox option will remove. Users typically much prefer this sort of immediate feedback over digging through an application's help information in hopes of finding an explanation. This is especially important for a cleanup application such as this, which involves deleting user-generated data in files whose names are not shown in the CCleaner interface.

In the final analysis, your best bet may be to skip the frustrating Adobe Flash Player Settings Manager, and go with CCleaner. "It's the only way to be sure."

Copyright © 2010 Michael J. Ross. All rights reserved.

Content topics: