Welcome to Samy Kamkar's zombie cookie factory

If you find cookies irritating and Flash zombie cookies fearsome, hold onto your hat: They're baaaaaaaaaack

No doubt you know about browser cookies -- pieces of text stored on your PC and retrieved by programs running on a website. You know first-party cookies (planted directly by a website) and third-party cookies (manipulated by programs not directly controlled by a website, typically by advertisers). If you read my Tech Watch article "Block 'Flash cookies' to thwart zombies," you also know about Flash cookies and how they can be used to bring back first- and third-party cookies, even if you delete them.

In the past month, research on zombie cookies -- cookies that come back after they're deleted -- has yielded some surprising results. One enterprising programmer has discovered eight different places to stick zombie cookie information. And he says he has four more places up his sleeve.

[ For the original analysis of Flash cookie security, see "Adobe Flash cookies pose vexing privacy questions." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

First-generation zombies, like the classic ghouls in "Night of the Living Dead," are persistent but ultimately fallible. The original zombie shtick plants a regular, everyday cookie on your PC, but then tucks a backup copy inside Adobe Flash's private storage. When you venture back to the website, it checks to see if the everyday cookie is still located where it's supposed to be. If the cookie's gone, the site checks Flash's private storage and, if the copy's there, restores the original everyday cookie. You thought you deleted the cookie, but it came back.

The obvious Achilles' heel: Flash's private storage, the Local Storage Object. If you delete your cookies and knock out Flash's LSO using, for example, methods I discussed in my earlier Tech Watch article, you drive a wooden stake through the cookie's heart and it won't come back. (Yes, I know that's a mixed zombie/vampire metaphor, but you get my drift.)

A few days ago, somebody claiming to be Samy Kamkar (more about Kamkar in a moment) posted a JavaScript program that provides hooks for, uh, persistent cookie-handling programmers. Those hooks stick a cookie on your PC and a copy in your Flash LSO area. The program will also bring deleted cookies back. That's a handy piece of code for scummy zombie programmers, but it isn't particularly interesting.

Here's the juicy part. Kamkar's discovered ways to hide, and bring back, zombie cookies in eight different places on your PC. His program can reach from a website into your PC and deposit/retrieve persistent information in eight locations -- a veritable zombie cookie factory, to my way of thinking. If you venture to Kamkar's evercookie site, you can click a button that will plant a cookie in eight places. Go out to Windows, delete the cookie using whatever means suit your fancy, refresh the page, and shazam! The cookies all come back.

Samy's eight storage locations:

1. Regular, old, everyday cookie.

2. Flash cookie.

3. A very clever technique Kamkar talks about on his site that tricks PHP into remembering cookie information, disguising it as a custom PNG color palette. The technique uses an HTML5 "Canvas tag" to retrieve the information.

4. Another clever technique that uses your browser's Web History to encode cookie information. It's a variant of the CSS History Knocker method developed by Jeremiah Grossman.

5, 6, 7, and 8. All standard HTML5 storage locations, although No. 8 requires SQLite. (See my discussion of HTML5 in yesterday's Tech Watch article "IE9: Good enough to beat Firefox and Chrome?")

Kamkar says he has four more cubbyholes under development. There's Silverlight Isolated Storage (by some accounts, Microsoft's Silverlight now runs on more than 50 percent of all PCs); HTTP entity tags; a JavaScript property known as window.name; and "using Java to produce a unique key based off of NIC info."

I couldn't get all of Kamkar's storage spots to work on all of the machines I tried; older browsers on older machines didn't cough up HTML5 locations, for example. But if you take your favorite machine to the evercookie site, I guarantee you'll be surprised and downright shocked.

While you're there, take a look at Kamkar's main page. Watch as a list of sites that you've visited recently scrolls down the lower-right corner. If you're using Internet Explorer 9 beta, you'll probably crash the browser. Chrome 7 Canary beta blocks the list. But Firefox 4 beta scrolls right along, as do most other, earlier browsers.

Back to Samy Kamkar. Does the name sound familiar? It should. On Oct. 4, 2005, Kamkar released the XSS Worm on MySpace, infecting more than a million people in a little under 20 hours. He pled guilty to felony charges in 2007. The XSS Worm didn't hurt anybody, but it sure made headlines. He's been actively involved in Internet and security circles ever since. Last month he gave a talk at the Black Hat Conference called "How I met your girlfriend" that showed how to use Google Street View to stalk people.

This article, "Welcome to Samy Kamkar's zombie cookie factory," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies