Wednesday, October 13, 2010

Killing the Evercookie (Google Chrome w/o Restart)

This post inspired by Dominic White's attempt at killing Samy Kamar's evercookie demo. As described:

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.


Yes, plain evil. Samy research highlights a crucial aspect of privacy protection available in modern Web browsers -- and how difficult it can be for the average user to maintain. Dominic's solution for the Safari browser apparently requires a reset & restart of the browser and a bash script. I decided to try and find a way to do the same for Google Chrome, but without an annoying browser restart and using only the GUI. Below is my process that appears to work against Samy's current version.



Set-Up
Go to Samy's evercookie demo
- Click "Click to create an ever cookie" * not down the number

Evercookie Removal
1) Open a new tab, then close all other windows and tabs.

2) Delete Silverlight Isolated Storage

Go to http://www.silverlight.net/
Right click the Silverlight application (any app will do)
Silverlight Preferences > Application Storage > Delete all...
Click "Yes"

* Optionally disable "Enable application storage"

3) Delete Flash Local Shared Objects (LSO)

Go got the Flash "Website Storage Settings panel"
Click "Delete all sites"
Click "Confirm"

4) Clear Browsing Data

- Wrench > Tools > Clear Browsing Data...
- Select all options
- Clear data from this period: Everything
- Click "Clear Browsing data"


Testing
Go back to Samy's evercookie demo
- Click "Click to rediscover cookies WITHOUT reactivating deleted cookies"
- The process was successful is all mechanisms return "undefined"

17 comments:

Blaufish said...

Now, lets teach users this :-)

Jeremiah Grossman said...

By @Monirul Islam

Well, in Firefox 3.6 it is also possible to remove the evercookie without browser restart. Here are the steps:

1. In the 1st tab, open three blank tabs. Go to Samy's evercookie demo page. Click on "Click to create an ever cookie". Make sure evercookie is stored in every places except 'userData' storage (it's for IE). If needed click on 'click to rediscover cookies' several times.

2. Close the first (samy's) tab.

3. In 2nd tab, open http://www.silverlight.net/ and delete Silverlight Isolated Storage

4. In 3rd tab, open Flash "Website Storage Settings panel" page and remove Flash Local Shared Objects (LSO)

5. Press Ctrl+Shift+Del (alternatively go to Tools > Clear Recent History). Select 'Everything' from the 'Time range to clear' dropdown and check every items from the 'Details' list and finally click on 'Clear Now' button.

6. Now go to samy's page again and verify that the everycookie is removed completely.

Here the sequence of the steps are very important.

Anonymous said...

How can you do this on Chromium on Ubuntu? I don't have silverlight installed.

Anonymous said...

Hi Jeremiah,

Will the chrome evercookie removal process also apply to Iron browser(portable as well)?

And what about Opera browser?How to get rid of evercookies from this one?

Regards

sewa mobil jakarta said...

Nice article, thanks for the information.

Jeremiah Grossman said...

@Anonymous: If you do not have Silverlight installed then you can't have its form of cookies. So you can safely skip that step. The rest of the process should apply, but testing yourself is highly recommended.

@Anonymous: I've not tried Iron Browser at all, so I'm unable to say. But I suspect the process should work as well.

Anonymous said...

please help, I can't figure out how to do this right -- I'm trying to get rid of them in Firefox 3.6.12, I don't know anything about Silverlight, if I have it or not or how to find out if I do, but I did the other steps, and I still can't get rid of those cookies

Ely Pelowski said...

Nice demonstration. Thank you. Now I will go clean my computer ;)

Anonymous said...

I tried doing this removal process but I receive this:

pngData mechanism: undefined
etagData mechanism:
cacheData mechanism:
userData mechanism: undefined
cookieData mechanism: undefined
localData mechanism: null
globalData mechanism: undefined
sessionData mechanism: 8
windowData mechanism: 8
historyData mechanism: undefined
lsoData mechanism: 8
slData mechanism: 8

any suggestions?

Jeremiah Grossman said...

@Anonymous: What browser?

Doesn't appear that you are removing the Silverlight Isolated Storage or the Flash LSOs. Also perhaps not closing all Windows either. You must follow the instructions precisely or it won't work.

Anonymous said...

Nevermind about the last comment. I had to close and reopen sammy kamar's site after the removal process and then I clicked rediscover cookies WITHOUT reactivating deleted cookies

Thanks great post!

Anonymous said...

Thanks Jeremiah Grossman for the quick reply I was using Google Chrome it appears I was not closing samy's evercookie site after performing the removal processes.
It works fine now

Really Great and informative information.

Jeremiah Grossman said...

@Anonymous: You are very welcome. Glad it helped out. Just goes to show how difficult it really is to effectively delete all forms of tracking cookies.

Anonymous said...

when deleting the application storage does it only remove the:
lsoData mechanism ?
Or other mechanisms as well?

In what step are all the client side storage remove? Is the removed when clearing history at the end?

Sewa Mobil said...

A pretty good article, could provide a new information to me. Glad to find a blog like this. Thank You

Andrew Z said...

Here's how to delete evercookies from all browsers in one step using BleachBit

bleachbit --clean firefox.* google_chrome.* flash.*

Or use the BleachBit graphical interface.

(Other browsers, such as Safari, can be added here.)

Andrew Z said...

If that is too many steps for you, here is a simple way to delete evercookies from all browsers using BleachBit

(from the command line)
bleachbit --clean firefox.* google_chrome.* flash.*

Or use the BleachBit graphical interface.