October 11, 2010: Reported on the front page of the New York Times
Find the latest details, code, and implementations on github @ https://github.com/samyk/evercookie
evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available. Specifically, when creating a new cookie, it uses the following storage mechanisms when available: - Standard HTTP Cookies - HTTP Strict Transport Security (HSTS) Pinning - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage - HTML5 Local Storage - HTML5 Global Storage - HTML5 Database Storage via SQLite - HTML5 IndexedDB - Java JNLP PersistenceService - Java CVE-2013-0422 exploit (applet sandbox escaping) TODO: adding support for: - Caching in HTTP Authentication - Using Java to produce a unique key based off of NIC info - Google Gears Got a crazy idea to improve this? Email me!
Cookie found: uid = undefined
Click to create an evercookie. Don't worry, the cookie is a
random number between 1 and 1000, not enough for me to track
you, just enough to test evercookies.
Now, try deleting this "uid" cookie anywhere possible, then or
evercookie is written in JavaScript and contains portions in Java, SWF/ActionScript (Flash) and C# (Silverlight). Some backend pieces in PHP, but also available in Node.js and Django. Get the latest source from github: http://github.com/samyk/evercookie