No doubt you know about browser cookies -- pieces of text stored on your PC and retrieved by programs running on a website. You know first-party cookies (planted directly by a website) and third-party cookies (manipulated by programs not directly controlled by a website, typically by advertisers). If you read my Tech Watch article "Block 'Flash cookies' to thwart zombies," you also know about Flash cookies and how they can be used to bring back first- and third-party cookies, even if you delete them.
In the past month, research on zombie cookies -- cookies that come back after they're deleted -- has yielded some surprising results. One enterprising programmer has discovered eight different places to stick zombie cookie information. And he says he has four more places up his sleeve.
[ For the original analysis of Flash cookie security, see "Adobe Flash cookies pose vexing privacy questions." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
First-generation zombies, like the classic ghouls in "Night of the Living Dead," are persistent but ultimately fallible. The original zombie shtick plants a regular, everyday cookie on your PC, but then tucks a backup copy inside Adobe Flash's private storage. When you venture back to the website, it checks to see if the everyday cookie is still located where it's supposed to be. If the cookie's gone, the site checks Flash's private storage and, if the copy's there, restores the original everyday cookie. You thought you deleted the cookie, but it came back.
The obvious Achilles' heel: Flash's private storage, the Local Storage Object. If you delete your cookies and knock out Flash's LSO using, for example, methods I discussed in my earlier Tech Watch article, you drive a wooden stake through the cookie's heart and it won't come back. (Yes, I know that's a mixed zombie/vampire metaphor, but you get my drift.)