Jump to content
CCleaner Community Forums
weaselbites

Evercookie...

Recommended Posts

So I was browsing and came across this interesting concept - a cookie that stores itself in 8 different locations, and as long as one particular location remains active it can recopy itself elsewhere. At this point I would expect a third party like CCleaner to step in and deal with such a problem. I was just wondering whether CCleaner covers all those bases? I realise HTML 5 has not been implemented fully in all the browsers, and if I understand correctly the standards are not finalised either. Having said that, any thoughts would be welcome :)

 

http://samy.pl/evercookie/

 

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

 

Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

 

Specifically, when creating a new cookie, it uses the following storage mechanisms when available:

- Standard HTTP Cookies

- Local Shared Objects (Flash Cookies)

- Storing cookies in RGB values of auto-generated, force-cached

PNGs using HTML5 Canvas tag to read pixels (cookies) back out

- Storing cookies in Web History (seriously. see FAQ)

- HTML5 Session Storage

- HTML5 Local Storage

- HTML5 Global Storage

- HTML5 Database Storage via SQLite

 

TODO: adding support for Silverlight Isolated Storage, and using Java to produce a unique key based off of NIC info

Share this post


Link to post
Share on other sites

Uhhhh wow um uh :o:blink::unsure:

 

I really hope the devs will look into this

:blink::blink:

 

EDIT: I sent a message to a Javascript Guru I know. Hopefully he'll be able to better explain this to me.

Share this post


Link to post
Share on other sites

Hope you can share some info here, too. :-)

 

Edit: That link gave me a "stack overflow at line 796" warning. every time I clicked it. Have no idea what that means, but it is ... well... odd. Over my head.

 

Is that link legitimate? Read about Mr. Kamkar: BBC News

 

edit: Answer to my own question. No. Don't visit it. Does something to IE.

edit: I found a couple of those cookies on this machine. Posted a screenshot over on page 2.

Share this post


Link to post
Share on other sites

Login123 - I am not sure what browser your using, but I have tried it in IE 8, Opera and Firefox and they all come out fine. I run spywareblaster and KIS2011 and nothing came up with any issues on the website. I actually got the link from a downloadsquad page...although I would add it appears the people who have now commented had the same idea as me. Come running to the CCleaner experts to help clean up such a mess!

 

http://www.downloadsquad.com/2010/09/21/evercookie-the-one-cookie-that-you-just-cant-delete/

Share this post


Link to post
Share on other sites

It would be a tremendous boon for average decent Internet users if some one or something (perhaps Piriform) produced a "Boycot List" of websites that issue Evercookies and any other form of Zombie cookie.

 

Alan

Share this post


Link to post
Share on other sites

It would be a tremendous boon for average decent Internet users if some one or something (perhaps Piriform) produced a "Boycot List" of websites that issue Evercookies and any other form of Zombie cookie.

 

You could block such snoopy sites with the Windows HOSTS file, or for a more permanent fix in the modems configuration settings - mine lets me block websites.

Share this post


Link to post
Share on other sites

You could block such snoopy sites with the Windows HOSTS file, or for a more permanent fix in the modems configuration settings - mine lets me block websites.

I agree that is a solution if I know what sites to block.

I was thinking in terms of a list to which "bad" sites can be added by "victims" so that we know what to block before we suffer.

 

Alan

Share this post


Link to post
Share on other sites

Hi, weaselbites.

 

That is a great find. Scary.

 

Am using IE7, and have Powershadow running, so no changes will happen, else would not have visited Mr Kamkar's site. Not at all sure if Powershadow is related to the stack overflow warning. Don't even know what the stack is, but it sounds ominous. :P Anyhow, here is a screenshot.

 

Edit: Got that same warning when I went through the Downloadsquad link. Probably just not "Stacked" right.

 

Actually not sure if it is even a problem...someone who knows more might be able to say.

 

I just posted that in the spirit of "Better Safe Than Sorry".

 

5a821bc802fb.jpg

Edited by login123

Share this post


Link to post
Share on other sites

@ ishan_rulz: His site may not really know your visiting history. If it is the green text in the lower right corner, it always says that, no matter what you have visited (based on 4 or 5 tries). See screenshot, after I visited several pages, w/ PS and Sandboxie running. Still don't know what it means, but that site doesn't SEEM to know where I have been. ?

 

28fae94e37f9.jpg

Share this post


Link to post
Share on other sites

@Login123 - I can confirm what your saying. I just fired up a virtual machine with IE 7 and as soon as I visit that website I get the same thing.

 

I must admit I know very little about this myself and find the thought very scary (I give it 6 months before some advertising network latches on this and starts doing this exact thing). However, this would be the sort of thing CCleaner could defeat unlike most browser's delete your browsing history. Browser clear your caches would most likely not touch the flash LSO's, the silverlight ones either. So it would need some sort of cookie cleaner to do so.

 

@ishan_rulz - I assume what its done is read your cookies. From your cookies it would be able to determine lots of sites youve been to. As each cookie is related to a domain. If your internet settings are not high enough, then I assume it would be able to read stuff quite easily. What browser are you using out of curiosity? I tried to get it to read my history in a virtual machine for IE 7 (by making it a trusted website) and Firefox without any luck. Does Java load by chance when you visit the website?

Share this post


Link to post
Share on other sites

I use FireFox (v3.6.10) as my browser and ccleaner (v2.35.1219) on Windows 7 - 64bit

 

ccleaner was able to clean up enough (or maybe all) of the "evercookie" so that I was assigned a new, different evercookie the next time I visited that site.

 

 

One thing to keep in mind about the evercookie --- flash cookies and regular cookies are limited in that they can be accessed only by the site that created them. evercookie has no such limits. The javascript, regardless of the site from which it is run, will be able to read any evercookie on your disk, regardless of the site that created it. This, in particular, is a gross security breach of past practices in tracking cookies.

Share this post


Link to post
Share on other sites

Hi, Camper. Welcome :D

 

Scary business. Have any idea why his site doesn't seem to show the actual history for this machine? Is maybe Sandboxie, or Powershadow, a virtualizer like Returnil?

Share this post


Link to post
Share on other sites

I honestly wouldn't worry too much about that.

 

Any website has the technology to find where you are coming from when visiting their site, and it's done all the time. They simply use "Referrer Information", which they can access without "interrogating your system". Most sites just don't make a meal of it and publicise it like that.

 

Referrer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or security purposes.

 

http://en.wikipedia.org/wiki/HTTP_referrer

 

I've been on that site for about 20 minutes, and this is as far as the "interrogating" could get because I disabled "Send Referrer Information" in my browser. I think the message displayed there is bulls**t. JMHO of course.

 

jPzYj.jpg

 

Using Opera. "Tools\Quick Preferences\Disable 'Send Referrer Information' button".

 

You could disable that feature in your browser permanently, but you would find some sites which will refuse to work properly without it. But not many.

Share this post


Link to post
Share on other sites

Using Opera. "Tools\Quick Preferences\Disable 'Send Referrer Information' button".

 

You could disable that feature in your browser permanently, but you would find some sites which will refuse to work properly without it. But not many.

I had Send Referrer off for months in Firefox, but just had to come to the realisation that it messes with some sites not working, ended up having to turn Send Referrer on and wow allot of aggravation has ceased.

Share this post


Link to post
Share on other sites

@Login123 - I can confirm what your saying. I just fired up a virtual machine with IE 7 and as soon as I visit that website I get the same thing.

 

I must admit I know very little about this myself and find the thought very scary (I give it 6 months before some advertising network latches on this and starts doing this exact thing). However, this would be the sort of thing CCleaner could defeat unlike most browser's delete your browsing history. Browser clear your caches would most likely not touch the flash LSO's, the silverlight ones either. So it would need some sort of cookie cleaner to do so.

 

@ishan_rulz - I assume what its done is read your cookies. From your cookies it would be able to determine lots of sites youve been to. As each cookie is related to a domain. If your internet settings are not high enough, then I assume it would be able to read stuff quite easily. What browser are you using out of curiosity? I tried to get it to read my history in a virtual machine for IE 7 (by making it a trusted website) and Firefox without any luck. Does Java load by chance when you visit the website?

 

It does know exactly which pages I visited, but after I ran CCleaner it couldn't find anything.

 

Firefox w/ Adblock AND ESET Smart Security 4.

Share this post


Link to post
Share on other sites

I had Send Referrer off for months in Firefox, but just had to come to the realisation that it messes with some sites not working, ended up having to turn Send Referrer on and wow allot of aggravation has ceased.

Where is the Send Referrer option located?

Share this post


Link to post
Share on other sites

In Firefox, you can disable the sending of the Referer header completely. Here are the steps:

 

1. Type ?about:config? in the location bar, and press return.

2. In the filter box, type ?referer? and press return. This should leave you with one preference, network.http.sendRefererHeader. This is probably set to 2.

3. Right click on network.http.sendRefererHeader and select ?Modify?

4. In the dialog that appears type ?0″ and press OK:

5. Close the window.

 

 

This blocks all referrers. However, it can cause some websites to break. Alternatively you can get an extension which will do it on a site by site basis.

Share this post


Link to post
Share on other sites

I've just tried out a button add-on for Firefox which enables you to change your referrer settings with one click.

 

Sitting on that site gave me the same result as I got with Opera earlier.

 

SyN43s.jpg

 

The only problem, as confirmed by Andavari, is that you might be toggling it on and off more often than you'd like.

 

It would be interesting to see how long you can browse with "referrer" set to off, so for those interested, the add-on is here:

 

https://addons.mozilla.org/en-US/firefox/addon/138988/

Share this post


Link to post
Share on other sites

Should Probably be mentioned somewhere that probably few, if any, sites have implimented this (Samy is a proof of concept guy, malware writer).

 

also most likley noscript (firefox addon) will soon block these as they do clickfraud (which may be another of Samy's inventions I can't remember)

Share this post


Link to post
Share on other sites

The situation is evolving.

 

I clicked on samy's site again today, Sandboxie and PS running, now no stack warning is given. The site immediately opened about 65 endpoints shown in TCPView, using port 12080, and wouldn't let me shut down IE7. The connection tab kept flickering. Don't even know what all that means, but I don't like it.

 

I think Mr. Kamkar and his site are to be avoided. His felony probation is apparently up, so he can now propagate, but he has gotten his last click from me. I hope. :unsure:

Share this post


Link to post
Share on other sites

CCleaner found at least one of his in dom storage score ccleaner. My Javascript guy only briefly (in a retweet) mentioned samy's evercookie. I may make a google alert once the initial news stories die down later this week

Share this post


Link to post
Share on other sites

It would just be his type of thing I bet to drop an evercookie when you visit his site :(

 

Yep, guess so, here is what a couple of them look like in the Sandbox. Wonder know how many more there are?

 

45d1310bbca2.jpg

 

Edit: guess that wasn't the last click.

Share this post


Link to post
Share on other sites

I have used the mvps HOSTS file for quite a while, so I decided to ask them about these cookies. Here is their reply:

 

"EverCookies" are a type of Cookie not an entry ... yes

the majority of 3rd party Cookies are blocked in the HOSTS

file ... however you still need to reset your Cookie settings.

 

You can address this problem by following these instructions:

 

Blocking Unwanted Cookies with Internet Explorer

http://www.mvps.org/winhelp2002/cookies.htm

 

Mike Burgess

Microsoft MVP - Consumer Security

"There's no place like 127.0.0.1"

 

Its interesting that his Blocking Unwanted Cookies link includes a plug for CCleaner. ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...