It has become increasingly difficult to use the web without some kind of
Flash player, but a little-known "feature" of Flash is causing some privacy
concerns. In some ways, Local Shared
Objects (LSOs aka Flash cookies) are similar to browser cookies, but
there are a number of significant differences as well.
In addition, because the dominant Flash player is closed-source, one must
depend on Adobe's ability to faithfully implement the security model. In
all, Flash cookies are something that web users should be cognizant of.
At its core, an LSO is a chunk of data that is stored on a user's disk
based on the domain that the Flash program was downloaded from. Only Flash
programs from that domain should have access to the data and, unlike
browser cookies, much more data can be stored. By default, 100K bytes can
be used per domain, which is a sizable increase from the 4K available for
browser cookies. The amount of storage for a Flash cookie can be increased
with the assent of the user, or decreased via the management interface.
Another major difference from the now-familiar browser cookies is that the
interface for managing them is less-than-obvious. From a given Flash
application, there is a "Settings" menu that allows control of the LSOs
from that site. To see the sites that have stored Flash cookies or to have
more global control over them, one must visit Adobe's site.
There are also third-party applications and browser add-ons that will allow
more control. A user can also resort to the ultimate control—removing
them from the filesystem (~/.macromedia/Flash_Player/#SharedObjects).
There are many benign things that a Flash application might do with a bit
of local storage—caching data, storing preferences, etc.—but
they can also be used to track users in much the same way that browser
cookies are used. Because Flash cookies are less well-known, and harder to
manage, though, they may be more effective because they are removed or
restricted less often.
Another important thing to note is that there is no requirement that there
be a visible Flash application on the web site. A site could embed a Flash
application with no visible elements simply to store a cookie. Unless the
user has a browser add-on like NoScript,
they will get no indication that anything has happened.
Assuming that there aren't any holes in Adobe's implementation of the Flash
security model, Flash cookies aren't much different—or more
dangerous—than browser cookies. But that assumption is a bit
worrisome. For Firefox or other free software browsers, the code can be
inspected to verify correct behavior. Either Flash or Firefox could have
that allowed cross-site cookie access (which would be a rather nasty
information disclosure vulnerability), but for Flash, we can only take
Privacy advocates have been successful in getting the idea of deleting
into the consciousness of concerned users, but Flash cookies seem to have
flown below the radar. A recent blog
posting that was widely reported has helped to raise the profile of
Flash cookies so that users will, hopefully, know that they exist. Those
with a desire to strictly control their privacy will be better able to do
luck, it may also lead Adobe to provide an easier and more visible
interface to manage them
to post comments)