Recently, Chad Tilbury posted a blog article on Flash Cookie Forensics. If you didn’t already know, Adobe Flash stores cookies (actually called LSO’s) on your computer that act more or less like regular HTTP cookies, except they never expire. This got me thinking about the built-in private browsing settings found in the current versions of Firefox (3.5.2) and Chrome (2.0). Both of these browsers have an easy to use private browsing setting that block histories, HTTP cookies, form data, etc. In Firefox, private browsing is called “Private Browsing”, and Chrome has “Incognito” mode. After reading this article, I began wondering just how private Firefox’s and Chrome’s privacy settings were when it comes to Flash cookies. A couple of simple tests showed me that there isn’t much privacy at all.
The tests were simple: locate the storage of Flash cookies (as demonstrated in Chad Tilbury’s article), and see if cookies are being saved while browsing in Firefox’s Private Browsing mode, and in Google Chrome’s Incognito mode. Here is a screenshot of the Flash cookies stored on my computer before I began internet surfing in Firefox:
And here is a screenshot of the stored Flash cookies after I surfed to hulu.com in Firefox Private Browsing mode:
As you can see, even when using Firefox Private Browsing, Flash cookies are saved to the computer. Let’s see how well Google Chrome’s Incognito mode does. Here is a before screenshot, with Chrome cracked open in Incognito mode and ready to surf:
After surfing to hulu.com in Chrome Incognito, the Flash cookie was clearly stored on my computer:
The problem really shouldn’t be a surprise based on how Flash cookies work, and I am not reporting any thing new. It might not really be the browsers’ fault. Flash cookies aren’t handled by Chrome or Firefox, and thus the browser has no way to block them (as far as I understand it). Still, the private browsing features in Chrome and Firefox are a complete false sense of privacy and security. One might make the argument that both browsers should be able to build in protection against Flash cookies. As Chad mentions in his article, Firefox has an add-on called BetterPrivacy that can manage Flash cookies, and No Script blocks Flash completely, so if an add-on can do it, why can’t it be built into the browser? By the way, as far as I can tell, there isn’t a similar add-on for Chrome.
(This article is dedicated to my friend, John.)
Update: For a follow up on how to block Flash Cookies, and a better implementation of Flash called Gnash, see my article Blocking Flash Cookies (and Improved Security with Gnash.