Block 'Flash cookies' to thwart zombies

Those who fail to block Flash Local Shared Objects -- so-called flash cookies -- make themselves vulnerable to cookie-like snooping

With two high-profile class-action lawsuits filed in the past month against such heavyweights as Disney, MySpace, and NBC Universal, "zombie cookies" have entered the water cooler lexicon.

Many organizations block, restrict, or otherwise manage cookies on company computers. But if users aren't protected against Adobe Flash's Local Shared Objects, they're exposed to all of the data snooping problems inherent in third-party cookies -- with none of the protections.

[ For the original analysis of Flash cookie security, see Jeremy Kirk's "Adobe Flash cookies pose vexing privacy questions." | Check out today's review on Microsoft Silverlight 4 vs. Flash 10.1. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Last month, a lawsuit filed in California against Quantcast and MySpace, ABC, ESPN, Hulu, JibJab, MTV, and NBC Universal brought the concept of "zombie cookies" into the public eye. A similar lawsuit last week from the same attorneys, also seeking class-action status, took on Clearspring, Disney, and Warner Brothers, among others.

Quantcast and Clearspring helped popularize the technique used to create and perpetuate zombie cookies and plant them on computers all over the world. They have made, and continue to make, enormous profits mining and peddling information about Web users' browsing proclivities. That's why they've been singled out. The other high-profile companies targetted in the lawsuits bought into the zombie cookie technique, apparently with Quantcast and Clearspring's help.

It's important for you to understand that blocking or controlling your users' browser cookies won't automatically nullify Flash cookies: The zombie technique persists, if only for a short period of time.

In a nutshell, here's what's happening. Every computer running Adobe's Flash (and Flash runs on more computers than even Windows!) has an area set aside where websites can store and retrieve information. The Local Shared Objects, as they're called, persist across Web sessions, just like regular cookies. Unlike regular cookies, LSOs have no set expiration date, and they aren't controlled by any browser settings. You may configure browsers in your company to reject cookies, or reject third party cookies, but those settings don't do diddly with Flash LSOs.

Zombie cookies come into play with savvy websites that set a cookie, but then set a similar backup cookie in the Flash LSO area. When the browser returns to the site (or a site with content hosted on another site), the site looks to see if there's a cookie, in the usual way. If there isn't any, the site looks in the Flash LSO area, and re-constitutes the cookie if it can. Thus, even if your policies wipe out cookies during a session, or at the end of a session, the Flash LSO data can help the site bring the cookie back from the dead.

You might assume that Adobe, once it learned that Flash had been subverted to undermine user and corporate cookie settings, would've sprung to Flash's defense, unleashing a flood of publicity and tools to allow individuals and companies to control Flash LSO data. Not so. All we Flash users received was a finger-wagging position statement (PDF), sent to the U.S. Federal Trade Commission:

"Adobe condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent. "

Blocking Flash cookies is not straightforward. LSOs are stored in files with extension .SOL. On most Windows PCs, they're in folders under %APPDATA%\Macromedia\Flash Player\#SharedObjects\ and %APPDATA%\Macromedia\Flash Player\\support\flashplayer\sys.

The official method for cleaning and blocking Flash LSOs on an individual machine hasn't changed in more than two years. To block Flash cookies the official way, you have to go to Adobe's Flash Player Settings Manager site and adjust the settings in the image at the top of the page. (Hard to believe, but the graphic that looks like a screen shot is, in fact, the Settings Manager, and it changes the settings on the PC being used to view it.) To the best of my knowledge, Adobe hasn't seen fit to release a program or any other product that allows you to control Flash cookies. You have to visit this website, machine by machine.

This story, "Block 'Flash cookies' to thwart zombies," was originally published at Get the first word on important tech news with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.