Flash Cookies (aka “Super Cookies“) are unlike typical internet cookies. Flash cookies are different because they are independent of the browser. They are designed to be permanently stored on your computer and are written using Adobe Flash. When you visit a site that uses Flash, such as YouTube, you’re unknowingly opening your device to the possibility of having a flash cookie written onto it.
So What is a Flash Cookie?
Adobe use the term Locally Shared Objects (LSO) to refer to flash cookies. So whenever you open a web site that is running Flash, you allow Flash to create one of these Shared Objects. Every subsequent visit to any web site running Flash and the locally shared object, in other words our flash Cookie, can be accessed again. This is a type of Super Cookie as it has super powers that allow it to remain on your device even after you have removed all cookies from your browser!
Flash Cookies vs HTTP Cookies.
Regular computer cookies are browser based. This means you can easily remove them via browser tools (read my article about deleting cookies here). Super cookies are more difficult to detect and remove from your device because they will not be deleted in the same way. They are designed to function in the same manner as regular cookies, storing details about browsing history, personal preferences, authentication details or ad-targeting data. However, they are also designed to not be removed from your device therefore being able to store weeks or even months worth of data. This data can extend to your location, time zone, photographs, text from blogs, shopping cart contents and even e-mails.
Flash Cookie Concerns.
Most alarming is the fact that many websites are not up front about using Flash technology on their site. they therefore fail to alert visitors to the possibility of having their data tracked. The issue of super cookies is a difficult one to deal with. As technology moves forward there will be measures created to deal with them, but flash cookies are not the product of an ill criminal individual. They are created and maintained by large corporations who collect this data in an effort to better understand and serve their customer base.
No matter which side of the cookie debate you’re on, the next time you visit a flash enabled site you’re likely allowing a cookie into your computer that will collect and transmit data.
One of the aspects that makes this type of file so special is its ability to be triggered each and every time you visit any site with Flash enabled. Unlike normal internet cookies that are restricted to a single domain, this type of cookie can interact with multiple web sites and therefore collect data as you navigate from site to site.
How do Flash Cookies work?
Normal HTTP cookies can’t save more than 4 Kilobytes of data while Super Cookies can save up to 100 Kilobytes. Sometimes the reasons behind this type of tracking is to set two cookies on the user’s machine. 1. A standard cookie that the user can erase. 2. A flash cookie that the user most likely is not aware of because the existence of these flash cookies are not well known. This practice is very deceptive because by deleting cookies, the user is clearly rejecting attempts to track them. Using this obscure technology to subvert these wishes is a practice that perhaps should not be allowed.
Dive a little Deeper in to the Flash Cookie.
The software Adobe Flash Player does not actually allow third party locally shared objects to be shared across web sites. If a flash cookie is created by “CookieController.com”, it would not by default be available to another domain such as ”PrivacyController.com”. However, the first party website could use the flash cookie it creates to pass information to a third party using certain settings found in the dedicated XML file. Also, third party LSOs are allowed to store certain data elements by default. This stored data is shared across browsers on the same machine. As an example:
- A visitor opens a web site using their Firefox browser. They then view a page that displays a specific product. The visitor then closes the Firefox browser. The information that was just viewed about that product can be stored in the Flash Cookie / LSO.
- Now lets say the same visitor on the same device uses an Internet Explorer browser. They can visit any page from the site viewed that was just viewed through Firefox. The site can read the Flash cookie / LSO values through the Internet Explorer browser. The website can now display dynamic content or otherwise target the visitor.
Flash cookies are browser independent. This gives them another super power allowing them to transition across browsers aswell as allowing information to be passed between web sites.
Another View on the Flash Cookie.
One of the main problems with flash cookies is that browsers do not clear them when the user deletes the cookies on their machine. These Flash Cookies NEVER expire and some of them even contain the name of your computer and the file path/ directories of key files. These cookies can share data across domains without our knowledge or permission. So not only is Flash insecure and unstable, it carries unauthorized cookies that ignore user preferences, and can be used as a Trojan to reinstate cookies that the user has flushed. The Zombie Cookie is born! Learn more about Zombie cookies here.
Flash Cookie Lawsuits.
According to New York Times, since July 2010, there had been at least five class-action lawsuits in the United States against media companies for using local shared objects.
Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- is given the opportunity to refuse the storage of, or access to, that information.
—Information Commissioner’s Office
How Can I detect and remove Super Cookies?
Software I can install
Antivirus software that also removes Super Cookies
Websites you can visit to help control the use of Super Cookies e.g. Adobe and Macro Media
Browser Addons such as Better Privacy for FireFox
- Manual deletion: The most tech savvy method to remove the super cookie, manual deletion is probably best suited for the technically minded. A super cookie is usually found in the “Flash Player” directory on your computer, but can be stored elsewhere. Use the search tool on your PC and look for the *.sol file extension.
- Better Privacy (Firefox addon): If you use Firefox you can add the Better Privacy plugin to your install and let the addon work its magic on your LSOs.
- Disable/remove Flash: Not a fan of Flash in the first place? Don’t care about certain videos or online games? If so, just disable or full-on remove the Flash player from your computer. If it works for iPhone users, it might work for you, too.
- Visit Adobe: Adobe has a tool that you can use to update your settings quickly and easily. Just go tohttp://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html and set the “Global Storage Settings” to “Zero”. This will prevent new flash cookies from being put on your computer, but if you have any right now you’ll still have to remove them as described above.
Who Uses Flash Cookies?
mentioned CCleaner for PC and Flush.app for Mac
The Zombie Cookie is born!
use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies
Learn more about this special type of Cookie here in my article ”What is a Zombie Cookie?”
New Page – Delete Flash Cookies
* Better Privacy extension for Firefox -
* Ccleaner - http://www.ccleaner.com/
Mac OS X:
Where to find these flash cookies:
* Windows: LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
* Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys
* GNU-Linux: ~/.macromedia