Friday, June 25, 2010

What's wrong with Flash Cookies?

Flash Cookies (which are officially known as Local Shared Object storage) are similar in intent to better known HTTP Cookies. They are used to store information on a web user's computer so that from web browsing session to session the user's identity can be tracked.

As with ordinary cookies, Flash Cookies can be used for useful things (remembering who you are so you don't have to log in each time on web sites you commonly use) to annoying things (such as tracking your surfing habits to spy on you for commercial purposes by aggregating information from site-to-site).

Flash Cookies exist because regular HTTP cookies are limited in size; Flash Cookies are larger and provide more storage for applications written in Flash.

Unlike ordinary cookies, Flash Cookies are largely unknown to the surfing public and very hard to control. Here's a list of bad things about Flash Cookies.

1. Flash Cookies are hard to delete

All the major web browsers have control for regular HTTP cookies built in. In contrast, none of them provide control of Flash Cookies. That's a pity since we know that people delete their HTTP cookies very regularly. If you want to delete them then you need to visit this page on

2. Flash Cookies are not kept private by browser 'private browsing' modes

Since Flash Cookies exist outside the browser (they are part of Flash, not the browser) they are not controlled by browser 'private' modes. Typically, in private modes any HTTP cookies set by web sites visited will be removed at the end of the browsing session. Not so, with Flash Cookies. The Flash system does not know about private browsing and will keep any cookies created during the private session.

This means that if, for example, you use the private mode to browse pornography even though your history and cookies will be protected, the Flash Cookies will give you away. Adobe announced last month that a new version of the Flash player would respect these modes.

3. Flash Cookies leak information from browser to browser

Flash Cookies are controlled by Flash, not by your browser. That means that if you have multiple browsers on your computer the Flash Cookies will be the same across all of them. If you browse a site that uses Flash Cookies in Internet Explorer and then open the site in Firefox you'll have the same Flash Cookies underneath.

4. Flash Cookies bring deleted HTTP Cookies back from the dead

Since Flash Cookies are so persistent (see #1), they are used by lots and lots of web sites. And one use it to recreate ordinary HTTP cookies. Suppose you visit my web site. I could set an HTTP cookie to track your visit and a Flash Cookie at the same time. If you subsequently clear the HTTP cookie my site could look in the Flash Cookie to find out the value of the HTTP cookie and reset it. Doing so makes cookie clearing in your browser useless.

5. Flash Cookies don't self-destruct

Ordinary HTTP cookies have an expiry date/time associated with them so that even if you don't delete them they'll get removed by your browser after a certain amount of time. And there are session cookies that persist just for one web browsing session. In contrast, Flash Cookies are eternal. Unless the Flash application itself decides to delete a cookie it's created, it will persist forever on your machine.

6. Flash Cookies are everywhere

Last year it was reported that 54% of the top 100 web sites are using Flash Cookies. My research says that that number continues to increase.

7. Flash Cookies circumvent 'third-party cookie' controls

Because Flash Cookies are beyond browser control they circumvent third-party HTTP cookie controls. Many browsers allow users to accept first-party cookies (cookies created by the site they are visiting; these can be useful for automatic login and remembering your preferences), but to refuse third-party cookies (which are used by things like Google Analytics or advertising agencies to track your web browsing habits).

This isn't possible with Flash Cookies: they are beyond the browser's control.


mydigitalself said...

Why do you state that cross browser cookies is bad/wrong, I think it's bloody brilliant.

Nickname unavailable said...

Nice summary. I use the Firefox extensions Flashblock and Better Privacy ( to maintain some control over flash cookies.

PaulH said...

I use Firefox, and I use the "BetterPrivacy" extension that seems to do a good job deleting LSO cookies. I'm not sure if there are similar products for other browsers.

John said...

There is a way to delete and block flash cookies permanently.


David Kemp said...

How much of this holds true for Silverlight Cookies? Or even sites using Google Gears/Browser Storage?

Tim said...

This is actually getting better finally.

Earlier this year Adobe said they'd start working to have tighter integration into privacy controls and flash cookies.

post said...

Hi, did you know you can simply delete the cookies? They are in you personal app-data folder.

vinref said...

On my unix-type system, I have this entry for the root crontab:

@reboot /bin/rm -rf /home/*/.macromedia/Flash_Player/*

Lockwood said...

Minor point: Google Analytics uses first-party cookies (see Myth 3: