Terrible news has reached us today that security researcher Samy Kamkar has created a horrific tool designed to create browser cookies that can not be deleted, The EverCookie API.
Kamkar is coming under flak from many organisations due to his coding which is able to generate a series of cookies that can survive multiple removal purges and can even track a user between browsers.
The Evercookie is a frightening little bugger as it can create a series of linked cookies using various storage methods. Local shared objects via Flash which operate only when a Flash plug in is installed but require a seperate clean up and which can be detected from any Flash enabled browser. Standard HTTP Cookies which can be cleared from any browser. HTML 5's session storage, global storage, local storage and database storage through SQLite. To make matters even worse it appears that it can work into page titles that store cookie information in all the browsers history and it can even create a cookie in the shape of a RGB value based PNG file. This is forced into the cache and then read back using the HTML 5's Canvas tag.
Kamkar hasn't decided to stop here as he has said he is going to look at improving it further and as it only needs one area to remain alive, it is going to prove hard to remove. Especially when it can regenerate itself after re-visiting an Evercookie enabled site.
Kamkar has released the source code for thie project which is going to put it into the hands of a wide array of crackers, hackers and malicious coders. In six months time we could have a serious situation on our hands.
KitGuru says: This has tremendous ramifications for security down the line and we can't understand why someone would create this in the first place.
very nasty indeed. some people need other hobbies 🙁
This is a potential nightmare in the waiting.
Samuel L Jackson ain’t gonna like this…
If there was ever a case for the death penalty…
Hopefully browser and plugin writers will be on top of this, creating the tools to delete these cookies safely.