On Tue, 15 Sep 2009 00:40:10 +0100, Imri Goldberg <[email protected]> wrote: > It seems this was some kind of a 'known secret', but firefox' privacy > mode > isn't private. Apparently, websites[1] can use flash to store > 'Local-Shared-Objects' (LSOs, see > http://en.wikipedia.org/wiki/Local_Shared_Object ), which are basically > cookies. Firefox' regular capabilities of 'clear all private data' and > 'privacy mode', which supposedly don't leave any record of your browsing > history, don't erase these files.
It's not really a surprise, and I doubt any browser clears these away as flash stores them in it's area. I've been unrelated research on LSOs recently and hacked up a quick and dirty reader for .sol file. I thought I'd see what information they contain. Most are like marketing cookies and just contains a UID number[1], though some ones may leak information. For example, BBC iPlayer stores the position that you stop a program in in the middle. For example, I nipped over to iPlayer and started the last episode of Mock the Week, then paused it; the LSO contained: [d...@yggdrasil flashsol]$ ./readsol autoResume.sol Shared Object name: autoResume Version: AMF0 items: Array: [ Key 0: Array: [ Key totalTime: Number: 1800.064000 Key prevPos: Number: 265.000000 Key id: String: b00mpq4p ] ] Not too exciting, until we look at the id items[0][id] key and see that this maps to the URL of the program: http://www.bbc.co.uk/iplayer/episode/b00mpq6y/Mock_the_Week_Series_7_Episode_10/ Showing that we could use the LSOs to see what programs have been watched through iPlayer. [1] I think we should set up some sort of cookie/LSO bank: everybody puts on a marketing cookie with the same UID, mess up the marketing figures summat rotten :-) dave _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
