08.26.11

How to mitigate the “Supercookies”

“Supercookies” (Local Shared Object), or flash cookies as they are otherwise commonly called, and their implication on the privacy of Internet users have been a hot topic in the security- news blogs lately.

“Cookies”, as most of you already know, are small text files that are used to keep small pieces of browsing information stored on a computer to track and retain user preference information when Internet users visit various websites online. But the risks involved with tracking cookies are already well known in the security community. There are also options available on various browser setting pages which explicitly allow users to clean these cookies. Many anti-virus companies, including Total Defense, have protection against tracking/third party cookies, too.

Flash cookies are similar files that are used by websites that use Adobe Flash content. They are used to store data on local computers, but these cookies are not cleared when the regular browser cookies are purged. There have been reports that various websites and their affiliates are now using them in addition to using the regular browser cookies to track user browsing information, and most users were unaware of the flash cookies. This blog is written purely to provide information to these users on how to mitigate or remove these “Supercookies”. Adobe has a settings manager on its website which can be accessed by a user to control how the flash cookies are handled on the user machine. [Figure 1] The settings manager link to quickly access the settings is here. This can also be accessed by right-clicking on a piece of flash element in a browser and then going to the settings option in the drop-down menu.

Clicking on the Website Storage Settings panel option (the second icon from the right) in the settings manager, the list of stored flash cookies currently stored on the machine can be viewed or deleted. By default, every site is allowed to store up to 100KB of information on the local machine. The same menu can be used to control the flash cookie size allowed for local storage against a particular website as well. However, when you delete these flash cookies, you may also remove information personalizing or configuring your browse view for these sites. You may have to re-enter information the next time you browse to that website. Just as in life, every choice you make online involve the risks and rewards.

If you wish to completely stop flash player from storing such cookies, there is an option in the setting panel called Global Storage Settings (second icon from the left). [Figure 2]

Under Global Storage Settings panel, by moving the slider down to NONE and checking the Never Ask Again option, you allow no local storage space for flash cookies. This would disable flash cookie storage from then on. You can also disable permission for third-party Flash content to store data on your computer or disable storage of common flash components; however these may interfere with your browsing experience. The recommendation here would be to keep a check on the flash cookies every now and then, and mitigate them via the Settings Manager.

If you wish to go one step further and examine these files and what information are stored in them, the following location information can be used to find the locally stored flash cookie files.

On Windows: Flash cookies are stored with a “.SOL” extension and can be found in the subdirectories of %appdata%MacromediaFlash Player#SharedObjects.

On Mac OSX: Flash cookies can be found under ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/ or ~/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/

On Linux: Flash cookies are stored in the ~/.macromedia folder.

Now the options recommended to mitigate your flash cookies in this blog are not the easiest to follow, but including these steps into a routine can definitely help with protecting your privacy online. So the next time you are cleaning your browsing history, remember to keep a check on your flash cookies as well. Perhaps with the right attention, the so-called “Supercookies” may be rendered not-so-super after all. Awareness to the security risks is always a good start to going a step beyond protection.