New Breed of Super Cookie Defies Removal – Almost…


From a recent UC Berkeley report:

More than half of the internet’s top web sites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies.

Under the direction of Chris Hoofnagle of the Information Privacy Programs at the Berkeley Center for Law and Technology, the researchers discovered that most web users aren’t familiar with Flash cookies and that Flash web cookies can’t be controlled through the cookie privacy controls in a browser. Even more interesting was the use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies that had been deleted on customer computers. In the study even several federal government web sites were found to contain Flash cookie ID information. The federal government has a policy of banning the use of traditional browser cookies.

What’s all the fuss about? Internet web sites often attach browser ‘cookies’—small strings of identifying text and numbers—to your computer to help them keep track of you and your preferences when you visit their sites. In theory this is a useful connection between you and the web sites you visit. For instance, an online book vendor could store your customer preferences information to better help you find what you want and make it easier to make your purchases.

However, like many useful, good things on the web, browser cookies have turned out to be an avenue for identity thieves to find us and our personal information. A cookie that no one knows about and that is not controllable through our web browsers, and can be used to re-spawn traditional browser cookies—could be a useful avenue for identity thieves indeed.

Changing Flash Preferences

Removing Current Site Cookies

Turns out, Adobe has a Settings Manager on its site where you can control how Flash cookies are stored along with other things. If you right-click on a piece of Flash code in your browser you can select “Settings” and get to this special place. Or you can just click our handy link: Adobe Website Storage Settings Panel.

What you should be seeing is something like this:

Here you can see which cookies have been written to your computer along with the ability to DELETE all of them. That’s something I would strongly consider. Remember, however, that there are some benefits with these cookies. If you frequent sites that use this technology (and many do) you will be deleting some of your settings with those sites and you may have to re-enter text each time you visit.

There is risk/reward with every choice you make in life…

Even if you decide to push the Delete all Sites button, you still have some work left.

Stopping New Sites from Writing Cookies

Even if you deleted the cookies that have already been written to your computer, you’ll need to keep new cookies from being written as well. Luckily, Adobe has created a way to do that:

Adobe Global Storage Settings Panel

If everything goes according to plan, you should be seeing something that looks like this:

Here you can tell Flash not to store any cookies in the future. Just drag the slider over to “None” and select “Never Ask Again.” That’s it!

Flash Cookie Removal Tools

Here are some other tools if you want 3rd party help with managing or controlling Flash cookies:

Windows:

Mac OS X:

Flash Cookie Storage Locations

You can always go to the directory where the cookies are stored and remove them manually. It’s not a permanent solution – new cookies will get created in the future – but it works.

Windows:

LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.

Mac OS X:

For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys

GNU-Linux:

LSO files are stored in ~/.macromedia.

Wrap Up

Now you know about the mysterious and curiously difficult to remove Flash cookies. They are pervasive – even on government web sites – and won’t be going away anytime soon.

Please post any follow-up questions or concerns below…

Author: Dave Nielsen

I started using computers in 1978 on the Apple II and was first online (using my “high-speed” 1200 baud modem) in 1989. I’ve managed web sites for several Fortune 500 companies and for internet start-ups. Working for one of those start-ups is what brought me into the world of credit. I was part of the the executive team that ran QSpace, the first company to offer credit reports over the internet.

Share This Post On

7 Comments

  1. I’ve never even thought about commenting till now. I guess if I really like a post I find myself checking the external links for more and favoriting (if that is a word) the post instead.
    From now on though I’ll definitely try and drop a comment every so often.
    ____________
    manishfusion
    Best credit card deals–Best credit card deals

  2. Don’t kid yourself that Adobe is actually removing current Flash objects and/or preventing future Flash Cookies from being sneaked onto your hard drive. No matter how many times we have gone to the arrogant and obnoxious Adobe site and told it to NOT store flash objects, we always end up with many Flash Cookies on our hard drive whenever we view a video from various sites. Many of the Flash objects are not even recognizable sites; we have no idea why they are on the machine.

    If you want to find how many of these “SOL” (good name for such obnoxious pieces) objects are on your hard drive, just do a Search for *.sol. Be prepared to be amazed and chagrined!

    Adobe should be FORCED to provide a COOKIE REMOVER device in its Flash Player. There is NO EXCUSE FOR THIS RELENTLESS PRIVACY VIOLATION by Adobe.

  3. Flash wouldn’t work very well without these little helpers. Most of the applications you use have to use these files for basic function. You can be on the safe side and delete these files if you wish, but really, you need to stop entering personal information into flash forms anyways. Thats the only way any data like that would be written on to your computer.

    Kinda creepy you guys are so paranoid…YouTube, Myspace, all that jazz, are social networks. Anything you put out their, and anything you watch is up for grabs. Youtube get it…its TV all about you.

    =============
    ccna test

  4. This is great info on how to remove cookies. I hadn’t thought about doing that, but I’ll use your blog to try this on my computer.

  5. So, should I delete at these .sol. crap, or not?? That is amazing !!

  6. You can delete them, but you’re better off shutting them off using a 3rd party tool or the Flash preferences, otherwise they’ll just come back.

    It is unbelievable, that’s for sure.

  7. I did what I could to delete those cookies, but still had a load of folders (now empty) with website names, in the folder :
    C:\Users\(mylogin)\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
    - some with unsavoury names :)

    I’m glad I’ve been able to get rid. Thanks

Submit a Comment