One of my colleagues just sent this out – it’s truly amazing [1].
Check out the Web History link that uses a CSS trick to reveal your history (all on the latest FF).
From the author himself [2]:
evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.
evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Specifically, when creating a new cookie, it uses the following storage mechanisms when available:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Storing cookies in RGB values of auto-generated, force-cached
PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in and reading out Web History
- Storing cookies in HTTP ETags
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
Art is definitely in the eyes of the beholder!
This is a case of layering several techniques (some known, others new) to create an approach that requires some serious thought to defeat. Much like the MS vulnerability disclosed this week, I think this is more about bringing information to light to promote discussion and progress. As one comment put it, “the bad guys don’t make open source announcements, they keep the code to themselves.”)
[1] - Researcher Claims 'Evercookie' Can't Be Removed
http://threatpost.com/en_us/blogs/frankencookie-developer-builds-bulletproof-web-tracking-tool-092210
[2] - Evercookie -- never forget.
http://samy.pl/evercookie/
[3] - Evercookie: A cookie that undeletes itself from 8 different storages
http://news.ycombinator.com/item?id=1714446
0 comments:
Post a Comment