In association with heise online

21 October 2010, 17:54

Killing the zombie cookie

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The permanent evercookie presented around four weeks ago is apparently easier to kill than previously thought. The supercookie was presented by Samy Kamkar as a JavaScript API that combines several techniques to store information on a user's PC to create a cookie zombie that is hard to get rid of. HTML5 in particular adds a lot of places to store various data in a browser. With such a cookie in place, web servers can more effectively detect whether a visitor has already been to a web page.

But it's apparently possible, with just a few steps, to delete the distributed information stored by the evercookie, although unfortunately there is no practical user interface to do so. For instance, Jeremiah Grossmann, a browser security specialist, has published directions on how to erase the information in Google's Chrome browser. Under Windows, any Silverlight and Flash cookies must be deleted along with all Internet data (by selecting - Wrench, Tools, Clear Browsing Data).

Dominic White has also published instructions for Firefox. For Safari on Macs, he has even written a short script that deletes the evercookie. However, in his experiments he ran into problems with the mobile version of Safari on the Apple iPhone, where every app uses its own storage for cookies, the cache and HTML5 data.

If the delete function is called for a particular app in Safari, the function only applies for that app; the tracks left by the browser from other apps remain unaffected. White has written a script that can delete the evercookie in all installed Web applications, though the process only works on jailbroken iPhones.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit