Killing the Evercookie

Dominic White

 

Killing the Evercookie

(Hi Slashdot & The Register readers. Make sure to check the 2nd part on killing iPhone Evercookie's too)

Samy Kamar recently released his tool, evercookie. This uses multiple persistent data stores to set unique identifiers that can be used to identify your browser to a website. While my default Firefox browsing setup is safe against it, I noticed that the "disposable" Safari instance I used was not. I sometimes use a clean Safari instance to test or access things the tinfoil on my Firefox does not let me. After each use I reset everything in it. However, I noticed that evercookie would persist. Here's how to delete it and others using the same mechanisms for Safari on OSX 10.6 (working out the same for other browsers/OS' isn't too difficult):

When the evercookie is created, is shows as existing in the following locations (note: just visiting the site sets up some of the evercookie containers):
userData mechanism: undefined
cookieData mechanism: 362
localData mechanism: 362
globalData mechanism: undefined
sessionData mechanism: 362
historyData mechanism: undefined
pngData mechanism: 362
etagData mechanism: 362
dbData mechanism: 362
lsoData mechanism: 362

If I reset Safari, but don't restart it, the cookie persists in these four locations. The force-cached PNG uses an RGB value as the identifier and is only cleared after a reset and restart:
pngData mechanism: 362
etagData mechanism:
userData mechanism: undefined
cookieData mechanism: undefined
localData mechanism: 362
globalData mechanism: undefined
sessionData mechanism: null
historyData mechanism: undefined
dbData mechanism: 362
lsoData mechanism: 362

However, even a reset and restart leaves us with the two HTML5 localData and SQLite locations, and a flash cookie:
pngData mechanism: undefined
etagData mechanism:
userData mechanism: undefined
cookieData mechanism: undefined
localData mechanism: 362
globalData mechanism: undefined
sessionData mechanism: null
historyData mechanism: undefined
dbData mechanism: 362
lsoData mechanism: 362

To this end, I wrote a small script (which Bernd turned into a GUI app for OSX) which will remove these and other cookies:

cat evercookie-kill.sh
#!/bin/bash
echo "Deleting evercookie locations Safari missed (see samy.pl/evercookie)"
rm -r ~/Library/Safari/Databases/*
rm -r ~/Library/Safari/LocalStorage/*
rm -r ~/Library/Preferences/Macromedia/Flash\ Player/\#SharedObjects/*

Running the script while Safari is running will have no effect. For it to work fully, you will need to reset Safari, exit, then run the script. This will clear out all the locations currently implemented in evercookie. While checking these locations, I was surprised to find data from all sorts of other sites, hence the removal of "*", but you can replace it with "samy.pl" if you want to target Samy's evercookie specifically (note, that's not the same as someone else's site implementing the evercookie). While the flash cookies had a large number of sites, there were a couple (cnn, foxnews, twitter and a few others I can't remember) using the HTML5 locations.

Wednesday, October 13. 2010
Posted by Dominic White in Privacy
Comments (12) | Trackbacks (15)

 

Trackbacks
Trackback specific URI for this entry

PingBack
Weblog: topsy.com
Tracked: Oct 13, 16:59
PingBack
Weblog: www.monirulislam.com
Tracked: Oct 16, 05:52
PingBack
Weblog: www.securitygeneration.com
Tracked: Oct 19, 22:58
PingBack
Weblog: www.programer.rs.ba
Tracked: Oct 21, 18:58
PingBack
Weblog: beta.group51.org
Tracked: Oct 21, 21:23
PingBack
Weblog: www.invasao.com.br
Tracked: Oct 25, 14:55
PingBack
Weblog: koisasdanet.wordpress.com
Tracked: Oct 25, 16:36
PingBack
Weblog: thomazjunior.wordpress.com
Tracked: Oct 25, 17:03
PingBack
Weblog: infoconta.wordpress.com
Tracked: Oct 26, 00:35
PingBack
Weblog: blogs.techrepublic.com.com
Tracked: Nov 01, 15:43
PingBack
Weblog: www.steve-shead.net
Tracked: Nov 02, 15:39
PingBack
Weblog: www.steve-shead.com
Tracked: Nov 02, 15:40
PingBack
Weblog: skicat56.wordpress.com
Tracked: Nov 02, 19:41
PingBack
Weblog: d4n3ws.polux-hosting.com
Tracked: Jul 08, 08:41
PingBack
Weblog: blog.hushtunnel.com
Tracked: Apr 05, 22:42

Comments
Display comments as (Linear | Threaded)

#1 Logical Extremes wrote (Link) (Reply)
Posted on Wednesday, October 13. 2010
I'd guess you have Safari set to authorize no databases without a prompt. But Safari still writes files [http://blog.logicalextremes.com/2010/08/safari-html5-local-storage.html]. A harmless bug at best, a privacy vulnerability at worst.
 
#2 joe wrote (Link) (Reply)
Posted on Tuesday, October 19. 2010
This is probably old news, but some dashboard widgets store cookies in Safari's store...
 
#3 bytesplit (Reply)
Posted on Thursday, October 21. 2010
I'm not exactly sure about the evercookie, but afaik it can also use Silverlight. So, in the rare case of a Silverlight installation, clear out this path also... ~/Library/Application\ Support/Microsoft/Silverlight/*
 
#4 Rob (Reply)
Posted on Saturday, October 30. 2010
You stated that your default Firefox browsing setup is safe against the evercookie. How did you do that?
 
#4.1 Dominic White wrote (Link) (Reply)
Posted on Monday, November 1. 2010
@Rob: I use a bunch of extensions and modifications. The first and best is NoScript and CSLite which prevent the cookie from being set at all. On sites where I need to allow that sort of access; BetterPrivacy helps to clear things. Finally, I split creepy providers that force cookies into separate browser profiles (e.g. Google & Facebook) and surf all non-identified traffic through Tor to split up my identities (i.e. after preventing/killing cookie, no consistent IP)
 
#4.1.1 al (Reply)
Posted on Wednesday, December 28. 2011
any chance you could make a post on your recommended privacy and security setup for Firefox? i've been using about:config and a user.js file for some settings like dom.storage.enabled=false but would be cool to see an article by someone who knows this stuff well.
 
#5 Mark I (Reply)
Posted on Sunday, October 31. 2010
Killing the Evercookie: For those of us who are not used to "running scripts" (which I assume is done from the Terminal Window?) in Mac OS 10.6 - would you include a step-by-step pain-by-number for novices instruction set on HOW to run this script? Can it just be pasted into the terminal window and then hit "return" or must it be entered line by line with a line feed/or return after each line? I know to an experienced Unix person this sounds idiotic. But there are those of us who've used Mac's for 24 years and have seldom if ever ventured below the GUI, because we have not needed to do so. If you do put this together, be sure to include such basics as "where to find the Terminal Program" then How to Start it up, What the Cursor looks like, and then how to enter the script, and once entered, how to run it. After it's run, what to look for if it is successful, and what to do if it won't run. Finally, how to quit Terminal after it's all done, and when to restart the machine, or restart just Safari or anything else that should be done as a "final" step to make sure the bastard evercookie is deleted. Please don't think this is too elemental to bother with. There are a lot of infected machines out there in the hands of people who have no idea of even what Terminal is or where to find it! And they need help too! Thanks MI
 
#5.1 Dominic White wrote (Link) (Reply)
Posted on Monday, November 1. 2010
@Mark: To be honest, I was hoping this would form the beginnings of either an easier way to remove it for non-Unix people, or an improvement from the browser-vendors in their privacy controls to meet this. I don't think we need to teach everyone how to pop the hood for something that affects us all.
 
#5.1.1 Darlene (Reply)
Posted on Thursday, January 27. 2011
I too would like to see step-by-step instructions. I have a persistent evercookie and it's driving me crazy. I opened Terminal Mode and pasted the script above, hit the return, but have no idea if that actually worked or if I did it right. Now I'm just waiting to see if the evercookie comes back... Thanks in advance for showing novices how to "pop the hood."
 
#5.2 Bernd Moessinger wrote (Link) (Reply)
Posted on Saturday, February 12. 2011
Hi OSX- and Safari-users, I just made an OSX-GUI-application for OSX 10.6 and Safari which includes the script above. You can download it here http://welcome2inter.net/news/files/kill-evercookie.zip . Regards Bernd
 
#5.2.1 vince7 (Reply)
Posted on Thursday, February 17. 2011
I just used your script and it worked as advertised. Now I need to get my HP laptop straight. Thanks for the script and your help.
 
#6 Jessica (Reply)
Posted on Saturday, January 12. 2013
I have a MacBook Pro ML 10.8.2, running Safari: No Java, No Flash, Java Script is ON. I get this result: pngData mechanism: undefined etagData mechanism: undefined cacheData mechanism: undefined userData mechanism: undefined cookieData mechanism: undefined localData mechanism: null globalData mechanism: undefined sessionData mechanism: null windowData mechanism: undefined lsoData mechanism: undefined slData mechanism: undefined So does that mean I don't have the evercookie on my system? In your post you say that: "When the evercookie is created, is shows as existing in the following locations" I have looked all over my system and Googled, but cannot find those locations? In your post you say that: "(note: just visiting the site sets up some of the evercookie containers)" What is the difference between containers and locations ? I can't find either using the names above ? Thanks
 

Add Comment