Supercookies: Storage DOM objects - shared Flash objects

Using applications, configuring, problems
Post Reply
Message
Author
perixx
Posts: 92
Joined: Sun 21 Jan 2007, 09:34

Supercookies: Storage DOM objects - shared Flash objects

#1 Post by perixx »

@ richard.a: I didn't want to pass over the other forum readers, so I started a new topic - for this might be interesting to many users.
I wondered why so many people are worried about cookies and aren't aware of potentially by far more compromising techniques - 'Supercookies'.
I found, that even information on local shared objects (Flash LSO's) is scarce to find and it was really awfully hard to find out anything about storage DOM objects - maybe I was looking in the wrong places?

Very few people seem to be aware of the DOM objects, apart from web developers, of course. Otherwise, it's not so surprising if you count in that those have first been introduced with Firefox 2.0...


Anyway - Bingo! :D

After hours and hours of digging the web without any results, I finally found out a few hard facts about 'DOM objects'!

According to Firefoxwiki, they are client-based accumulations of data that are handled like cookies with the exception that servers mustn't read their contents and they do have a much wider range of functions. Hm. There are two types of DOM objects in the new storage system that's been introduced with Firefox 2.0:

a) 'sessionStorage' - gathers data of multiple websites that are opened in the same window. Lifetime: session.

b) 'globalStorage' - stores data on 'domain level' for prolonged time, until deleted (or maybe expired).

Generally, DOM objects are stored like cookies (but not accessed similar) and being handled like cookies in the respective preferences submenu: 'block, session or all' - and deleted via the cookie manager.
They can 'only be accessed via Javascript' (which renders them far from being 'bullet proof' in my opinion), but 'mustn't be accessed directly by the server'.
Well. I'm no programmer and maybe cannot judge this, but this sounds like a contradiction to me.

I doubt very much that, if Javascript is enabled (and it has to be to place and make use of the DOM storage objects), there's no way of manipulating or reading the data contained there. Even worse, I read about the storage space for these 'Supercookies' is virtually unlimited. Sounds pretty neat to me :P


Conclusion: If you surf with Javascript disabled, then you should be fine off. But honestly, you simply cannot visit many useful and important sites without it. So, completely disabling cookies SHOULD keep the pesky DOM objects off your HD - but who really knows. You SHOULD be able to delete any stored DOM objects by simply removing all cookies.

Alternatively, disable the storage of any DOM objects with the entry 'dom.storage.enabled:false' in the 'about:config' settings, accessible via the browser's address bar.

Other nice options I found:
+ 'dom.disable_open_during_load:true' - this prevents DOM objects from overriding the popup blocker settings.
+ 'dom.event.contextmenu.enabled:false' - switches off the context menu lock that some websites use.

AFAIK you don't use Firefox 2.0. Lucky you, if it's really true that there's no DOM storage in lower versions - I don't know of Mozilla, Seamonkey and K-Meleon, though. In the long run you'll need to switch to a Seamonkey or a Firefox version that supports the storage of DOM objects anyway though, for FF1.5 will be abandoned soon. No more security updates.


Of course you'll still be 'vulnerable' to the Flash LSO's (especially while not having switched off Flash via Prefbar or similarly). Macromedia's Local shared objects can store up to 100kB on your HD by default and even more, if respective values are set via the 'settings' context menu of Flash animations. Unfortunately, the settings will fall back every time a new Flash object is processed; otherwise you could simply set the storage space to zero and leave it that way.

Again: If you want to dispose of any LSO's already on your machine, delete anything in the folder
~/.macromedia/Macromedia/Flash Player/#Shared Objects

Also, search along the path down
~/.macromedia/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys

and delete all files in that folder as well - this should get you rid of the annoying 'Flash supercookies'.

Remember that you may have to repeat this procedure everytime you've watched a Flash animation or didn't opt out 'Flash' via Prefbar button and a website has placed LSO's in these folders (I believe that sometimes there are objects being stored also even if one isn't particularly watching Flash animations).

The Addon 'Objection 0.2' might do the same, but only works for Firefox (-1.x) AFAIK. I don't know if it deletes all LSO's in the folders I mentioned or if it works differently, though. To completely be save from Flash objects, you'd have to opt out 'Flash' with the Prefbar permanently.

By the way, I got me really unnerving 'download Macromedia Flash Player' nags all the time, once I disabled Flash.
Solution - open 'about:config' the browser and search for

'plugin.default_plugin_disabled:true' or create the entry (type Boolean).



Well, that's all I suppose -- should anybody have some additional info, I'd be glad to know ;-]

perixx
Top
valpy
Posts: 67
Joined: Wed 18 Apr 2007, 20:38
Location: Looking at the tapestry

#2 Post by valpy »

Hi perixx

Thanks for this, it's good to know how to get rid of Flash 'supercookies'.

I thought it would be useful to have a script to do this, rather than having to delete
the files and directories manually.

This is what I did:

1. Create a text file clear_Flash_supercookies in /root/my-applications/bin using geany.
2 Paste the following code into the empty file and save

Code: Select all

#!/bin/sh
# script to remove Flash 9 'supercookies' as described in
# http://www.murga-linux.com/puppy/viewtopic.php?t=17734
#
clear_directory (){
	# this function checks the given directory exists, and if so clears it out 
	if [ -d $1 ]
	then
	    cd $1
	    rm -R *
	fi
}
#
clear_directory '/root/.macromedia/Flash_Player/#SharedObjects'
clear_directory '/root/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys'
3. In Rox, right-click on the clear_Flash_supercookies file, and choose Permissions in the menu.
Use the dialog to make the file executable (a+x).

4. Now drag the icon for the clear_Flash_supercookies file to the desktop. This creates a shortcut
on the desktop that you can run by clicking it - when you do, it will clear out
the Flash directories.

This works for me on Puppy 2.13 and also Puppy 2.15CE. I haven't tried it in other versions.

(perixx, your note above refers to a "#Shared Objects" directory - on my 2.13 and 2.15
I found a "#SharedObjects" directory instead, and the script refers to that instead).

Hope this is of use!
Top
perixx
Posts: 92
Joined: Sun 21 Jan 2007, 09:34

#3 Post by perixx »

Great, valpy!

I'll try out this solution soon..! If I'm not mistaken, it's pretty much like what objection did on Firefox 1.2, but without blocking Flash objects.

If you could pack this into a .xpi extension like 'Noscript' or 'Prefbar' - what more could one desire? Ok, maybe filter rules like for cookies, but that's really a neat little helper you set up there!

greetz

perixx
Top
perixx
Posts: 92
Joined: Sun 21 Jan 2007, 09:34

#4 Post by perixx »

Does somebody about where exactly in the .Mozilla folder DOM objects are being stored? In a certain file, maybe in localstore.rdf?
Anybody heard if Seamonkey is also capable of storing DOM objects by now?

perixx
Top
Post Reply

Return to “Users ( For the regulars )”