Evercookie: Invasion of the Browser Snatchers!

Tweet

Over the past year or so there’s been a slowly building hubbub as the general news media became aware of Flash cookies and their ability to tag and identify return visitors — even after those users have actively cleared their HTTP cookie cache.

And they thought they had some trouble then?

Developer Samy Kamkar has just released a new JavaScript API called Evercookie that employs ten — yes, count ‘em — ten different methods for virtual-tattooing a cookie into your browser.

Some of Evercookie’s tagging methods are so fiendishly clever that you can only imagine that Samy codes them from deep inside a secret volcano lair, complete with henchmen and a shark pool. Currently Evercookie uses:

  1. Standard HTTP Cookies
  2. Local Shared Objects (Flash Cookies)
  3. Storing cookies in RGB values of auto-generated, force-cached PNGs
  4. Reading cookies into and out of Web History
  5. Storing cookies in HTTP ETags
  6. Internet Explorer userData storage
  7. HTML5 Session Storage
  8. HTML5 Local Storage
  9. HTML5 Global Storage
  10. HTML5 Database Storage via SQLite

But it is time for Samy to rest on his laurels? Oh no sir! Plans are already in the pipeline for a version that tags users using Silverlight, Java and window.name.

What’s more, any time Evercookie discovers any of it’s cookies missing, it quietly and efficiently recreates and replaces them. And people say you can’t get good help these days.

While some of the methods Samy employs are well documented (i.e. HTTP cookies, Flash cookies), many are original ideas to my knowledge.

For instance, the force-cached PNG method is almost like a surreptitious DIY QR code system. The user’s unique ID is converted into a series of colored pixels in PNG and then forcibly cached. When the user returns, the PNG is loaded quietly into a canvas element where the ID is extracted.

The Web History cookie method is possibly even more insidious. A temporary page is created in the background with the URL of your unique ID — let’s say ‘pwn.com/yourusernameABC-‘. This page is sent to your browser alone and recorded in your browser history.

The next time you return your browser rifles through URL variations and compares each one to your web history. When a partial match is found (i.e.'pwn.com/y‘) it locks that in and moves to the next letter — a little like the way autocomplete works on your address bar. Whenever it gets to a hyphen it knows it has a complete ID.

Invasion of the Browser Snatchers!

HTML5 also seems to have opened up a host of cosy new nooks for cookies to settle into. Yay for tech progress!

The interesting thing is the whole project is free and open source, so Samy seems to be taking a whitehat hacker approach of publicizing a vulnerability to allow people to counter it. Right now, the only known counter to Evercookie is Safari in private browsing mode.

Now I don’t know about you, but I can’t quite decide between a ‘Golly-gee-that’s-clever-Batman-geek-out ‘ and a hyper-ventilating, spluttering panic attack.

How about you?

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • http://www.iraqtimeline.com/maxdesign Black Max

    One question: How do I kill these “evercookies” off?

  • http://stommepoes.nl Stomme poes

    Now I don’t know about you, but I can’t quite decide between a “Golly-gee-that’s-clever-Batman-geek-out” and a hyper-ventilating, spluttering panic attack.

    I’m investing in browser protection services. Every time someone makes a clever way to break into my browser, someone else makes software to prevent it.
    Problem is usually just the lag time between the two.

  • Arkh

    Noscript. Years ahead of those little gimmicks.

    • http://www.optimalworks.net/ Craig Buckler

      That won’t stop server-side or Flash cookies.

      • Arkh

        It’ll stop Flash cookies as unwanted flash elements won’t be launched. Now, I admit you need to use better privacy to clean the LSO you let in.

  • losirus

    This technique could be used for both good and bad.

    Could this be modified to tell humans from bots?

    Imagine a online world where captchas are not needed anymore.

    • http://www.sitepoint.com Alex Walker

      I’m not sure what you mean. Are you saying that you could identify a bot because it won’t respond to evercookie?

  • Dakoon

    Tor Browser on a thumb drive. Problem solved……..