In association with heise online

23 September 2010, 13:45

The zombie cookie

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In addition to cookies, modern web sites use a whole variety of storage mechanism to uniquely identify revisiting browsers. Techniques include Flash cookies and various HTML5 storage mechanisms. On his home page, Samy Kamkar presents a JavaScript API which combines a number of these mechanism to create an extremely persistent zombie cookie the developer calls the evercookie.

In addition to well-known mechanisms, evercookie also uses two unusual storage techniques: PNG caching and history caching. In PNG caching, the cookie's ID is stored in a specially created PNG file that some browsers can read out via the HTML canvas element. History caching uses a mechanism called history stealing: when a browser first visits an evercookie site, the site will encode the cookie ID in a URL which is called in the background. This ID can then be reconstructed from the browser's history during subsequent visits.

On his home page, Kamkar gives detailed explanations of all the mechanisms. The home page also allows users to test evercookie. After creating a cookie via "click to create an evercookie", users can try to remove it from their browsers. (Kamkar's cookies are values between 1 and 1,000 which allow the developer to demonstrate his method but don't actually infect users' browsers.)

Many of the mechanisms the developer uses have no corresponding user-friendly delete feature in the browser, which makes it likely that many visitors won't be able to delete all of the cookie parts. The demo returns an exact list of the IDs that have survived the deletion attempts. When a user returns to the page, evercookie has reconstructed all the cookie parts available in the user's browser via the available mechanisms. As evercookie also uses browser-independent Flash cookies, it reproduces across all browsers installed on a system.

Released as a version 0.2 beta, evercookie is currently far from being 100% reliable. For instance, it was impossible to create evercookies in a beta version of Internet Explorer 9. In other browsers, it had sporadic problems when reconstructing cookie parts. Nevertheless, evercookie gives users an idea of how web site operators can keep track of their visitors. The only currently available protection appears to be surfing the net in private browsing mode. In this mode, evercookies created for testing in Chrome and Firefox were no longer available after the browsing session was closed.

Kamkar has made the source code of his evercookies available to download in open source format. The developer intends to further extend it, for instance to support Silverlight's isolated storage feature.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit