back to article Über-zombie cookies give us the fear

Privacy activists got hot under the collar about the use of flash cookies to respawn traditional website cookies* but an even more persistent type of cookie that's almost impossible to kill off may lie just around the corner. So-called in invulnerable evercookies use eight different techniques and locations to hide on tagged …


This topic is closed for new posts.
  1. Naughtyhorse

    what a great idea

    1/2 cookie, 1/2 rootkit :-D


  2. Whitter

    Bar room lawyers assemble!

    Surely an attempt to use any such cookie would be illegal in a whole raft of countries...?

  3. SuperTim

    in other news....

    You can purchase for a small monthly fee, a evercookie remover!

    Please send monies to Mr L. Agos, Nigeria Street, Your town.

  4. Colin Millar
    Thumb Down

    Yawn at the clever script kiddie

    They will still be as easy to block as Flash cookies - just a few more locations to find is all

  5. Cameron Colley

    Does this work when I erase my session on exit?

    As far as Firefox tells me every cookie and cached object is removed when I close Firefox (Including Flash cookies but only with an add-on).

    So: are Mozilla lying to me, will this not work on my machine, or do I have to wait for a Firefox "Special HTML5 new persistent data" edition?

    1. Dan 55 Silver badge


      The cookie privacy options do the same thing for DOM Storage data in Firefox. Flash cookies can be deleted with BetterPrivacy. Web history can be set to be deleted on exit you like.

      Although I must admit I don't know about the undead PNGs.

  6. Colossus

    Solutions are Straightforward

    This has been around for years. In Linux, one straightforward solution is to create a small temporary filesystem for flash related storage, the contents of which won't survive a re-boot.

    Some good solutions (including the above) are explained in this thread:

    1. Colin Millar

      another solution

      Find out where it likes to store the cookies and remove write permissions from the folder - then the cookies can't set in the first place - works for any OS where you can fiddle with permissions

      1. An_Old_Dog Bronze badge

        fighting Flash cookies via file permissions doesn't work, as Flash seems to gain root privs

        I've done some experiments, at a root bash prompt, setting file permissions on "settings.sol" (the Flash "master cookie").

        When I run Flash as a normal user, the Flash changes the file permissions back to what it wants them to be. It appears Flash is somehow gaining root privileges (or convincing a root-privileges program to do the dirty work on Flash's behalf). This is unsettling from a security perspective.

        I have more VMs to build and more experiments to do... :-(

      2. Colossus

        Not So Fast ...

        Some applications/plugins cease to work properly if you remove write permissions, hence the temporary filesystem method.

  7. JaitcH

    There must be a hack for these, any day soon

    In reality these are detrimental to the adoption of HTML 5.

    It's bad enough having to clear out Flash cookies. Maybe the Washington politicians could pass a bill ...

  8. NB

    kill it with fire

    then nuke it from obit, it's the only way to be sure.

  9. heyrick Silver badge


    How likely is this to affect a user who usually only goes to specific sites (BBC, Amazon, here) and blocks third-party sites by default?

    Surely this sort of nonsense is the playground of ad-trackers and dodgy sites? Is it worth the risk of exposure for a more serious site? Just... to track which user is which? Seems like a hell of a bother for little in return.

    1. Anonymous Coward
      Anonymous Coward

      Omniture & the BBC

      You might be interested in this article:

      Then there's the facebook button that the BBC were using for a time that included all sorts of facebook scripts.

      Just because it's an institution that you think you can trust doesn't guarantee that they will act in a trustworthy way.

      1. Anonymous Coward
        Anonymous Coward

        The Beeb...

        ...don't act that way because they are untrustworthy. They act that way because they are incompetent.

  10. Stevie


    I propose we call these cookies that never go stale "Twinkies".

    1. K. Adams


      Here's a pint for giving me the best one-liner laugh I've had in a while...


  11. Sergie Kaponitovicz
    Thumb Up


    What's going on? 10/10 intelligent replies? I agree with all of the foregoing. How boring.

  12. Anonymous Coward
    Anonymous Coward

    javascript - just say no

    from the little w*****s website: "evercookie is a javascript API"

    1. copsewood
      Big Brother

      Not very practical

      There simply are too many sites that won't work without it. If you really feel that blocking untrusted Javascript will help, then use the Firefox NoScript plugin. You'll then get to decide which site's Javascript you really want to run by denying access to the rest. But if you visit more than a few sites you'll then have many decisions to make. I tried this, got fed up and found that most of the really bad and unwelcome stuff seems to be blocked by Adblocker plus which takes a few moments to setup and then just does its job.

  13. The Nameless Mist
    Paris Hilton

    My PC .. Your Files .. My Invoice

    To company responsible for placing a cookie on my PC that reconstructs itself in multiple locations following an attempted deletion.

    This constitutes an abuse of my computer equipment.

    You are using my disk space and my processor time.

    Please find attached an invoice to cover the disk and processor usage.

    Plus my time billed in 30 minute intervals while I remove it from my computer.

    {Paris - because she doesn't eat cookies}

  14. Anonymous Coward
    Anonymous Coward

    What about "In-private browsing" in IE

    Would that work?

    To paraphrase NB above

    Is it too late to burn this developer, and then nuke them from orbit, as a lesson to others?

    1. An_Old_Dog Bronze badge

      Nuke them from orbit...

      Yeah, nuke them from orbit. It's the only way to be sure.

  15. Henry Wertz 1 Gold badge

    RGB? Nasty

    "Does this work when I erase my session on exit?"

    Well, if you clear your cache as well. The method of storing some image and checking RGB value is particularly nasty (I'm not sure if it's truly HTML5 specific, I think current HTML and Javascript could do this). But if the cache was cleared there'd be no cached image to check the RGB value of.

    Really, though, would anyone REALLY go to this much trouble to circumvent people's wishes regarding cookies? They'll get caught for sure, and it'll be ugly for them.

  16. vincent himpe

    can someone code

    a browser that does not write anything to a physical harddisk but uses a ramdrive ? ( remember ramdrives under dos ? )

    Wwhen the browsing session ends : unmount the ramdrive. Game Over.

    it should be easy to create a ramdrive under windows and move the temporary file folder to that volume.

    1. Anonymous Coward

      They already did it !

      Use a LiveCD

  17. Anonymous Coward
    Anonymous Coward

    This guy ...

    I did him the courtesy of visiting his website, and he clearly thinks he's a very, very clever boy.

    Sadly the type who will end up doing evil for some megacorp for half what he's worth.

  18. Nathan 13
    Thumb Down


    This sort of tracking/spying will also be of interest to online gaming, pokerrooms, casinos, sportsbooks etc to stop collusion and multiple account fraud.

    Im sure either Firefox will allow these to be blocked by default, or the better privacy extension will be on the case if not.

  19. This post has been deleted by its author

  20. publius

    Tell me again ...

    why I need/want flash?

  21. Charlie Clark Silver badge


    Fails on Opera in privacy mode even without a restart.

  22. Anonymous Coward
    Anonymous Coward

    Doesn't work...

    Sandboxie based browsing (currently via Iron) doesn't allow them to be persistent.

    Browse to site, set cookie, verify existence, close browser, clear sandbox, browse to site, no cookie.....

  23. A handle is required
    Thumb Down

    Next development in EverCookie technology:

    Evercookie Killer

  24. K. Adams
    Big Brother

    Break this, break that

    A cursory examination of the code seems to indicate that disabling many (almost all?) of the browser features that Evercookie uses to store its persistent data would have the side-effect of breaking basic interfaces that would be necessary for the proper functioning of most modern web sites (especially AJAX/Web2.0 pages).

    The use of CSS to embed the cookie into your history cache (line 580 and sundry, evercookie.js) -- if I'm interpreting things correctly -- is both ingenious and disturbing. Storing your browser history as data linked to a custom CSS attribute (line 785 and there-abouts, evercookie.js) is just as twisted.

    Looks like the dev's got all the bases covered.

    No doubt about it, this code is EVIL.

    Big Brother, indeed...

    1. Andraž 'ruskie' Levstik

      Can someone explain

      How this is supposed to work when there is no browsing history??? Seriously? I never have cookies on by default, don't have a disk cache(only memory cache), never have browsing history. What other way can they actually track?

  25. Anonymous Coward
    Anonymous Coward


    1) Mods - any reason why my last few posts on various topics haven't been posted?

    2) The original post :

    Sandboxie prevents this - it logs all files written to, and removes them on emptying the sandbox after the browser closes. This will also highlight which files are changed/written, and thus enable removal (albeit the cache images may be hard to individually go after)

  26. Anonymous Coward
    Anonymous Coward

    The article is FUD - evercookie is easy to defeat

    A combination of FlashBlock and perhaps RequestPolicy, combined with caching set to 0 and a block on the ever cookie creator domain results in no ever cookies being successfully set on FF 3.6.10 on RHEL 5.4 I assume the same is the case for FF on any OS.

    If I don't block the domain cookie creation then just a standard cookie is created.

  27. SilverWave

    Easy Solution #1

    rm -r /home/silverwav/.macromedia

  28. PReDiToR

    VMs might be a little overkill

    So you have a /home/<user>/bin/<browser> that contains a script to delete /home/<user2> then copy /etc/skel to /home/<user2> and then su - <user2>; run <browser> and then at the end of the script rm -r /home/<user2>.

    Nothing gets by that unless it can root your box. If that happens you have more problems than just cookies ...

  29. Adrian Esdaile

    Undeletable cookies?

    cd /

    su rm *

    Problem solved.

  30. Anonymous Coward

    I will not lose any sleep on that

    because I have several weapons to respond :

    - Running the browser from a virtual machine that can be roll-backed

    - Running the browser from a LiveCD

    - good old text browser (yep, I'm old enough to know about its existence !)

    So let them come with their cookies, I'm fully prepared.

  31. Anonymous Coward
    Anonymous Coward


    "The concept echoes Lord Voldemort hiding fragments of his soul in horcruxes in the Harry Potter books."

    Well thank you for clearing that up but I'm still not sure I understand, can we have a Goosebumps analogy too?

  32. Anonymous Coward

    The good news

    The good news is that with cookies there will always be a traceable path back to whoever planted it there. So it looks like we've finally discovered a good use for lawyers.

  33. Pandy06269


    I hope his coding is better than his website design - paragraphs of text in Courier New? Ugh.

  34. Anonymous Coward

    Sorry, This Is Bull....

    I am using firefox on a Ubuntu Linux machine. No mods whatsoever. No Flash.

    I go to

    and let him set his cookie. Then I close his page, hit CTRL-SHIFT-DEL and go again to

    No cookie there whatsoever. Which is totally reasonable, as I configured FF to really delete all the crap - cookies, history, cache. Only my bookmarks survive.

    No, Mr Smartguy, try to hack up something better, like

    -sucking my Bookmarks (is it possible at all ?)

    -fingerprinting by all means possible, including the IP address, DNS name and all the crap transmitted in the browser capability string.


  35. Anonymous Coward

    Defeating Browser Fingerprinting

    One way to re-assign cookies is to use the browser capability string ("user-agent string") as a fingerprint. Here's a FF plugin to make your browser look a bit different (say like the Baidu search engine):

    If you need capability strings, use these:

    cat /var/log/apache2/access.log|cut -d " " -f12,13,14,15,16,17,18,19,20,21,22,23,24,25,26|sort|uniq


    "-" "-"




    "Huaweisymantecspider (compatible; MSIE 8.0;"

    "Morfeus Fucking Scanner"

    "Mozilla/3.0 (compatible; WebCapture 2.0; Auto; Windows)"

    "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)"

    "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; Creative)"

    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET

    "Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)"

    "Mozilla/5.0 (compatible; Googlebot/2.1; +"

    "Mozilla/5.0 (compatible; Yahoo! Slurp;"

    "Mozilla/5.0 (compatible; YandexBot/3.0; +"

    "Mozilla/5.0 (compatible; YandexBot/3.0; MirrorDetector; +"

    "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10"

    "Mozilla/5.0 (Windows; U; Windows NT 6.1; en_US; rv: Gecko/20100315 Firefox/3.5.9"

    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100908 Firefox/3.6.9"

    "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3"

    "msnbot/2.0b (+"

    "Wget/1.9+cvs-stable (Red Hat modified)"

    And if you really want to be untraceable, use The Onion Router ( The bastards will soon use all the entropy they can harvest out of DSL addresses. They often come from a very small pool.

This topic is closed for new posts.

Other stories you might like

Biting the hand that feeds IT © 1998–2022