How to remove evercookie from firefox

Samy, the father of the MySpace worm (aka samy worm) recently released a new technique to persist cookies virtually forever in a browser. He named it evercookie.

“evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.” — described by Samy.

When people are looking around how this cookie can be removed from their browsers, Samy is trying to improve it by adding new more techniques. Currently during it’s cookie creation, it tries to store in different places in your browser using 13 mechanisms so that just clearing browser’s cookie doesn’t remove evercookie. It’s so powerful that many smart users will not be able to clear it even, general users are far behind. HTML5′s session storage, local storage, global storage, and database storage via SQLite makes it more persistent. Already some security researchers have identified how this can be removed in Safari, Chrome but not yet from Firefox. The technique I am going to describe works in firefox 3.6 with Samy’s current version.

  1. Go to Samy’s evercookie demo page. Click on “Click to create an ever cookie”. Make sure evercookie is stored in every place except ‘userData’ storage (it’s for IE). You may need to click on ‘click to rediscover cookies’ few times to store it in every place.
  2. Open another tab and close the first (samy’s) tab.
  3. Now open Silverlight Home Page and delete Silverlight Isolated Storage.  To delete, right click any Silverlight application then Silverlight > Application Storage > Select the website samy.pl  > Click on Delete… finally click on ‘Yes’
  4. Then open Flash Website Storage Settings panel page and remove the Flash Local Shared Objects (LSO) which is stored from samy’s domain.
  5. Press Ctrl+Shift+Del (alternatively go to Tools > Clear Recent History). Select ‘Everything’ from the ‘Time range to clear’ dropdown and check every item from the ‘Details’ list and finally click on ‘Clear Now’ button.
  6. Now go to samy’s page again and verify that the everycookie is removed completely.

Note that the sequence of the steps are very important to remove any evercookie in firefox.

Was this helpful?

24 thoughts on “How to remove evercookie from firefox

  1. That’s very nice feature. I think we can take it positively. I give full credit to programmer who find it out and used those storage information.
    And Special Thanks to you for sharing this type of interesting news.

  2. Pingback: Dominic White

  3. Pingback: Persistent Tracking using Supercookies and Evercookies | Security Generation

  4. Pingback: Se débarasser du Evercookie

  5. Thank you, great demonstration. It would be nice, if somebody could develop a firefox plugin, which would do the manual steps automatically.

  6. This shouldn’t be in a plugin, it should be native in all browsers. As a minimum, have “Delete cookies” delete Flash, Silverlight and HTML5 clientside storage as well, and don’t persist them across sessions unless whitelisted. Other techniques (CSS, history) are exploits and should be blocked in all browsers. Firefox has already chosen to not implement some features because they can be abused as cookies.

  7. Pingback: Killing the zombie cookie | Group51.org

  8. Replying to Andreas Becker: In other words, we should trust Google to protect us from a risk created and operated by Google?

    And notice that it only works on the latest versions of Firefox, which have the most intrusive collection features and do the most reporting to Google.

    I’m not convinced. I want the industry to stop collecting data on me and reporting it go Google or anyone else. I don’t want to have to opt out. I want to choose whether it happens in the first place, and to have my choice honored.

    I’ll take care of “enriching my internet experience” myself, thanks very much.

  9. This is scaring. But fortunately there are BetterPrivacy and SecureSanitize as Add-Ons out there, which deletes all (till now) all traces. But anyway why does he develop such scrap – he is an hacker and he should be for anonymity – or does he looking for a job in companies like “the age of privacy is over”?

  10. @8ohmh: He is demonstrating a security hole. If he was evil, he would have done it secretly. But as long as he is doing it this way, he is doing something good because he calls attention to a serious problem.

  11. Pingback: It is possible to kill the evercookie

  12. Rookie question: Is this a permanent (or long-term) fix? Or something that has to be done over and over? If it’s permanent or long-term, it’s a sort of immunization, right?

  13. The software MAXA Cookie Manager spares you from the manual work of deleting all places a cookie can be set and handles this automatically for you.

  14. Pingback: Cookies are Evil « Emil on Security

  15. interesting article, thanks for sharing, i hope security becomes better by default in ff4 to deal with issues like this.
    Don’t want to have manually find new solution all the time just to ensure i dont have super cookies etc.
    It should be a default part of the browser, or at least an add-on that’s actively dev’d/updated.

  16. Pingback: It is possible to kill the evercookie | ~II~ THE WATCHTOWERS ~II~

  17. Pingback: .:[ d4 n3wS ]:. » Se débarasser du Evercookie

  18. Pingback: «Supercookies» sporer alt du gjør på Internett, hvis du ikke beskytter deg aktivt mot dette!

  19. Pingback: The Differences Between Internet Cookies And How To Delete Them

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>