Six Lines

Destroying the Indestructible Cookie

Posted by Aaron Massey on 28 Oct 2010.

A while ago, I mentioned evercookies, which are an attempt to create cookies that users cannot remove. It turns out that researchers are finding ways to remove them:

It’s nice to know that even if it’s inconvenient, it is possible to kill the toughest cookie we know about. But Kamkar has hinted he has other tricks planned, so this might turn into a bit of an arms race.

There’s no “might” about it. This will be an arms race, period. The entire history of the web is tends towards more functionality being done on the client side and less being done on the server side. That requires local data storage, which is all a cookie really is.

I also thought this was worth noting:

Where things really get grim is with the mobile version of Safari. Although this version of Safari doesn’t support Flash or Silverlight, the directories it uses to hold local storage are sandboxed off from all other applications, and there is apparently no way to delete this. To clear evercookie from an iPhone, White first had to jailbreak it and then run a script. Worse still, any application that uses a Web view to display HTML content also creates an individual risk; White’s script has to crawl through the entire phone’s directory structure to purge them all.

Remember that mobile platforms are growing at an incredible rate. Many of these platforms, like the iPhone and the iPad, are not as open for the kind of hacking that would be needed to remove an evercookie.