evercookie

October 11, 2010: Reported on the front page of the New York Times

 
Find the latest details, code, and implementations on github @
https://github.com/samyk/evercookie

DESCRIPTION

    evercookie is a javascript API available that produces
    extremely persistent cookies in a browser. Its goal
    is to identify a client even after they've removed standard
    cookies, Flash cookies (Local Shared Objects or LSOs), and
    others.
 
    evercookie accomplishes this by storing the cookie data in
    several types of storage mechanisms that are available on
    the local browser. Additionally, if evercookie has found the
    user has removed any of the types of cookies in question, it
    recreates them using each mechanism available.
 
    Specifically, when creating a new cookie, it uses the
    following storage mechanisms when available: 
- Standard HTTP Cookies
- HTTP Strict Transport Security (HSTS) Pinning
     - Local Shared Objects (Flash Cookies)
     - Silverlight Isolated Storage 
- Storing cookies in RGB values of auto-generated, force-cached 
        PNGs using HTML5 Canvas tag to read pixels (cookies) back out
     - Storing cookies in Web History 
- Storing cookies in HTTP ETags 
- Storing cookies in Web cache 
- window.name caching
     - Internet Explorer userData storage
     - HTML5 Session Storage 
- HTML5 Local Storage 
- HTML5 Global Storage 
- HTML5 Database Storage via SQLite
     - HTML5 IndexedDB
- Java JNLP PersistenceService
- Java CVE-2013-0422 exploit (applet sandbox escaping)
 
    TODO: adding support for:
     - Caching in HTTP Authentication 
- Using Java to produce a unique key based off of NIC info
     - Google Gears
 
    Got a crazy idea to improve this? Email me! 
 

EXAMPLE

 
 
Cookie found: uid = undefined 
 
Click to create an evercookie. Don't worry, the cookie is a
    random number between 1 and 1000, not enough for me to track
    you, just enough to test evercookies.
 
 

pngData mechanism: undefined
etagData mechanism: undefined
cacheData mechanism: undefined
userData mechanism: undefined
cookieData mechanism: undefined
localData mechanism: null
globalData mechanism: undefined
sessionData mechanism: null
windowData mechanism: undefined
lsoData mechanism: undefined
slData mechanism: undefined
 

Now, try deleting this "uid" cookie anywhere possible, then or

 

DOWNLOAD

 
evercookie is written in JavaScript and contains portions
    in Java, SWF/ActionScript (Flash) and C# (Silverlight).
    Some backend pieces in PHP, but also available in Node.js and Django.
 
 
    Get the latest source from github: http://github.com/samyk/evercookie