A couple of days ago, Wired reported on the questionable use of Flash cookies revealed by a UC Berkley study. While non-novice Internet users are generally aware of cookies and their implications, fewer users are aware that Adobe’s popular Flash plugin stores its own cookies separately from normal browser cookies.
If you’re using Mozilla Firefox, you can use the BetterPrivacy add-on to automatically delete all of your Flash cookies each time you close your browser. You can also configure BetterPrivacy to delete the cookies every few minutes. Or to allow you to manually delete them using its interface.
If you’re using Internet Explorer, Chrome, or another browser, you can also use the Flash Settings Manager found here. It’s a good idea to browse through this anyway, as it contains some handy privacy settings (including the ability to disable Flask cookies entirely).
And, for Mac OS X, there’s Flush.app.
{ 6 comments… read them below or add one }
How can i configure BetterPrivacy to delete the cookies every few minutes. Or to allow you to manually delete them using its interface.
Select Add-ons from the Tools menu. Select the Extensions section, and click on BetterPrivacy. You should see a button for Options.
If you open the BetterPrivacy options and select Options & Help, you’ll see a number of settings that allow you to do the things that you asked for.
In particular, you can select Delete Flash cookies by timer and choose an interval to delete cookies regularly, even before closing Firefox. You can also choose to Add LSO item to Firefox ‘Clear History’ dialog and settings, so that you will see an option to clear Flash cookies when you use Firefox’s built-in ‘Clear History’ feature (press Ctrl + Shift + Del).
While BetterPrivacy cleans LSOs from the default location that the add-on determines is the location where Web sites store Flash cookies (LSOs), the add-on needs the option of adding directories to the list of locations for the add-on to check and clean. There are two places where Web sites routinely store Flash cookies, only one of which is checked by BetterPrivacy; and it seems that at least some sites have the ability to detect the default path that BetterPrivacy is set to monitor and store the LSOs in the directory not being monitored. Google is one such site. Better Privacy needs to be modified so that more than one location can be monitored and cleaned according to the user’s settings. However, when I notified BetterPrivacy’s creator and suggested the modification, he categorically refused to make the change, saying, essentially, that I was daft for even suggesting it.
In addition to the two paths in my user profile where Flash cookies are stored, I found Flash cookies also stored in the Application Data directories in the LocalService and NetworkService directories.
The two locations where LSOs (filename.sol) are stored by various Web sites are:
1. C:\Documents and Settings\Owner.OwnerName\Application Data\Macromedia\Flash Player\#SharedObjects\WXN6G5D7(name of this directory will vary)
2. C:\Documents and Settings\Owner.OwnerName\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Location #2 is where the LSO created by Macromedia containing your global settings is stored (settings.sol), but sites like Google and others will store LSOs in this directory if the “#SharedObjects” directory is listed in BetterPrivacy as the monitored location.
Substituting “LocalService” and “NetworkService” for “Owner.OwnerName” will yield the locations of any cookies stored in those two directories.
In short, when using BetterPrivacy, it’s best to check behind it and check the directory that BetterPrivacy is not set to monitor.
Also, concerning using Macromedia’s page to set site and global settings and access permissions or denials to your webcam and microphone does not work very well. I’ve set the global settings a dozen times or more using both Internet Explorer and Firefox; but every time I went back to the site to check my settings, they were right back where they were before I made any changes, especially in the amount of space to allow for LSO storage on my hard drive.
There is an additional software app that cleans the LSOs off the user’s computer. It’s called Flash Cookie Cleaner 1.0. It’s a freeware download. I haven’t had the chance to install or test it yet; but I will post the results here when I’ve had the chance to try it out.
I’m running Firefox 3.6 with BetterPrivacy 1.47 on Windows 7, and I have BetterPrivacy set to delete all Flash cookies when Firefox exits, including the Flash settings cookie. I can’t replicate the problem that you’re having—
When I start Firefox, BetterPrivacy correctly detects my Flash data directory as C:\Users\Chris\AppData\Roaming\Macromedia. In its LSO Manager view, BetterPrivacy shows that there are no Flash cookies (since they were deleted the last time I closed Firefox).
If I open C:\Users\Chris\AppData\Roaming\Macromedia\Flash Player in Windows Explorer (showing hidden files etc), I see a #Security folder only. In particular, there is no #SharedObjects folder and no macromedia.com folder.
If I subsequently log into Gmail, BetterPrivacy detects three Flash cookies: …\#SharedObjects\HXYK8BP8\mail.google.com\wakeup.sol, …\macromedia.com\support\flashplayer\sys\#mail.google.com\settings.sol, and …\macromedia.com\support\flashplayer\sys\settings.sol.
These are the only Flash cookies created. At this point, these are the only Flash cookies on my system, verified by searching the entire C: drive for *.sol (including hidden files etc).
If I now close Firefox, the #SharedObjects and macromedia.com folders are entirely deleted, including all three Flash cookies.
In other words, I don’t get any Flash cookies anywhere else on my system, including in the profile directories associated with system accounts like LocalService or NetworkService, and all of my Flash cookies are deleted when I close Firefox.
Ordinarily, your browser, which runs under your user account, would not store Flash cookies anywhere other than the Flash data directory in your user account’s profile, nor would it send Flash cookies from any other directory to any web site.
As far as I know, no web site can itself decide where to store its Flash cookies. They’re always stored in the Flash data directory in the profile of the account under which the Flash player is running.
If you’re finding Flash cookies stored in the system account profiles, you may have some application (perhaps a browser toolbar or other browser add-on) that has a component running under one of the system accounts.
Are you running any software that could be responsible for that? And, if you are, have you tried disabling it?
Thanks for this! I remember hearing about Flash cookies a while back, but didn’t understand the seriousness of them until I realized that CCleaner wasn’t effectively removing them and therefore a lot of my sensitive information still lingered behind.
thanks for tips… that’s so helpfull..