It’s the middle of the night, and there is the faint sound of breaking glass from downstairs. The other half, with a sharper than possible elbow, nudges you – “Did you hear that ?” she hisses – “Go have a look.” Snatching for protection the first item that comes to hand, which turns out to be a bound copy of the latest Wikileaks archive1, you edge down the stairs. As you head towards the kitchen, you hear the moans and groans of the undead – there, in the middle of the tiled floor, emerging from a box you thought that you’d thrown out three years ago are crawling, mouldy crumb by decayed choc-chip, are … ZOMBIECOOKIES !
Ok, I’m sorry, I really am. But the image was in my head since I read the term, and I had to either get it out or wake up in a cold sweat tonight. They have nothing to do with actual baked goods, thank goodness, but are about cookies ( those data holding things that websites insert into your browser ) that are a lot more persistent than is good for us – they just won’t die. There is currently a letter going through the US Federal Trade Commision regarding them, and their legality, and has also been the subject of a number of lawsuits – the argument being that they raise privacy concerns as it isn’t possible for users to have full control over their personal data. I’ve not made an extensive study as of yet, but following through the usual suspects ( The Register, Wikipedia, etc. ) eventually led me to the Evercookie. Like a real zombie, Evercookie isn’t quite immortal (for useful hints and tips on killing real zombies, I’d suggest “Shaun of the Dead“) – but it really is persistent enough to be a pain for the average user. It’s quite an interesting exhibition of resiliance that I wish a lot of my other data could follow – Evercookie will replicate itself to various locations, and will rewrite other locations that are cleaned the next time that the browser hits the cookie code. The locations listed are 4:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
Clearly this is devious and underhand, it means that unless your cookie cleaner knows all of these storage locations, you aren’t going to get rid of it…
… on the other hand, from a forensic point of view, this could show that a cookie cleaner has been used – if there is a Zombiecookie present, but only in the less obvious places – there is a reasonable conclusion to be drawn that some, but not all, storage areas have been cleaned – you could also infer the time that such a cleaner was run ( after the date of some of the storage ) and that the user hasn’t returned to the source site since the cleaner was run.
As the EU is tightening up on cookies, then these “supercookies” should be few and far between in legitimate European business – but then, as the internet is the new “Wild West“, I don’t think that we’ll be seeing the back of such tactics any time soon, and I’m sure, despite best efforts to prevent such things, that new and interesting variations will be forthcomming. If you do know of other methods for persistent cookies that could be shared, please do let me know !
1. Which, let’s face it, is more likely to bore an intruder to death before you thump them with it …2
2. I’d also like to clarify, that, as a signatory of the Offical Secrets Act, I have not, nor would I, ever look at the Wikileaks documents that are protectively marked and I have no need to know.3
3. And that has nothing to do with the fact that they are phenomenally dull !
4. Table shamelessly stolen from http://samy.pl/evercookie/