evercookie - go ahead, be evil.

virtually irrevocable persistent cookies

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

Specifically, when creating a new cookie, it uses the following storage mechanisms when available:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Storing cookies in RGB values of auto-generated, force-cached
  • PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in and reading out Web History
  • Storing cookies in HTTP ETags
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite

Previously, previously.

Tags: , , , ,

15 Responses:

  1. pvck says:

    Oooh, the RGB cookies are particularly nasty.

  2. abates says:

    *slides over to the "disable javascript" setting*

  3. lovingboth says:

    I admire its purity. A survivor... unclouded by conscience, remorse, or delusions of morality.

  4. harper_knight says:

    That's what NoScript is for, right?

    Otherwise, I suppose one could store all your bookmarks online and just delete and re-install browsers every time you close down and restart. That might work.

    • nightskywarlock says:

      Second NoScript. Shit like this is why I won't move to Chrome.

      • jmtd says:

        Funny that, since noscript doesn't defend against these, but chrome's incognito mode does.

        • shandrew says:

          Chrome's incognito mode does nothing about Flash cookies.

          • jmtd says:

            I can't explain my findings, then, when the evercookie page failed to carry a persistent value across incognito sessions. I have flash installed.

            • shandrew says:

              Ah..you're right! Adobe apparently updated Flash to work with incognito mode a couple months ago, in Flash 10.1.

  5. gargargar says:

    I want off the Web now, please.

  6. zanfur says:

    Just tried their test with my standard firefox settings of no cookies, and with NoScript enabled. No cookie was stored. I even enabled javascript for the site...still no cookies stored.

  7. taskboy3000 says:

    I suppose I'll dissent here. I don't care about cookie tracking at all. There a bigger issues of privacy that are more worrisome to me.

    There is always lynx for the paranoid.

  8. freiheit says:

    Could probably partially defeat the Private Browsing/Incognito modes of Safari/Chrome if you combined this with a local database where you recorded IPs and browser signatures... You should assume that the "bad guys" have already been doing all this stuff for a while now. If you still want to believe in privacy you're going to have to use lynx proxied through the Tor network and convince everybody else on the planet to do the same...

    Privacy is so last millenium.

  9. ext_273244 says:

    If Flash is enabled and not LSOs not cleaned, evercookie tracks between browsers which is a clever trick. Likewise, evercookie can track visits between different domains in the same browser.

    BleachBit 0.8.1 deletes evercookie tracking.