There has been lots of discussion lately about Flash websites using Local Shared Objects (LSO) to track users selections, browsing habits, and other information. One of the advantages for websites has been that until now they have not been well known. From my basic searching they have been around since at least 2004 and probably earlier. A user may configure their browser to remove or delete all ‘cookies’, but LSOs stay. According to some, many of the top websites use them.
I tried a little experiment to see how LSOs are stored. The directory that they are stored varies depending upon your operating system. For me I use Linux as my primary O/S. The default directory for LSOs is ~/.macromedia/Flash_Player.
Under the ‘Flash_Player’ there are two directories and under each of these directories are the security configuration and the binary installer for the Flash Air application. Nothing interesting. Next, I started Firefox and went to youtube.com and selected a video. After the video completed, I took another look at the ~/.macromedia/Flash_Player directory.
Under~/.macromedia/Flash_Player we now have two new directories, macromedia.com and #SharedObjects. If we decend the macromedia.com directory, we find 3 nested single directories called support, flashplayer, and sys respectively. Under the ‘sys’ directory we find a binary file called settings.sol and a subdirectory which is #s.ytimg.com owned by Google. The #s.ytimg.com directory contains a separate settings.sol which is binary.
Under the #SharedObjects directory, there is a single oddly named directory ’3BJH4AW6′, then a directory for the website ‘s.ytimg.com’, a domain owned by Google. Below this are two files entitled videostats.sol and soundData.sol, both containing binary data.
I haven’t investigated the format or contents of the .sol files, but it is obviously where the metadata is stored. I may try to investigate the format or see if anyone else has already figured it out as I am curious. The bigger question in my mind is how does one properly erase this data. There is a Firefox add-on called BetterPrivacy which will do just that. It can be configured to delete LSOs on request or remove all the LSOs when you shutdown Firefox. I installed BetterPrivacy and tried it. Sure enough, upon shutting down Firefox I was greeted with this window:
Selecting OK, put my ~/.macromedia/Flash_Player directory back to its original state with no LSOs or website directories present. For the normal user that should suffice. However, these are files and they have been deleted. Most people should know that files these days that are deleted are typically still recoverable. File systems such as NTFS (windows), ext2/ext3 (*nix) all can have files deleted on them recovered. In the case of ext3, it is a journal file system and the default file system installed on most *nix platforms today. Without getting into the details in this post, this effectively means that even if you wipe a file it can potentially still be recovered.
If you carry around sensitive information on your laptop, I recommend you create an encrypted volume on your hard drive using a package such as TrueCrypt, PGP. In the case of my system, I formatted the encrypted file system to be ext2. This means there is no journaling. This has the disadvantage of being less ‘recoverable’ but it has the advantage that if you wipe a file with ‘wipe’, ‘shred’ or some other wiping software it is unlikely to be recovered. Next, I point my ~/.macromedia directory to the encrypted file system.
You can see the ~/mndData file which is the truecrypt fileystem. ~/.macromedia is symbolically linked to the encrypted filesystem. For those interested, you can see that my Evolution (~/.evolution), Google Desktop (~/.google), Firefox Cache and bookmarks (~/.mozilla), IM client (~/.purple) and Skype (~/.Skype) all write to the encrypted file system. You have to be able to mount the ~/mndData to get at any of the email, browser cache, bookmarks, IM conversations and now LSOs. It isn’t fool proof, but it offers another layer of protection so that client data remains unviewable in the event of my laptop being stolen.
Comments