Local shared object

Last updated

A local shared object (LSO), commonly called a Flash cookie (due to its similarity with an HTTP cookie), is a piece of data that websites that use Adobe Flash may store on a user's computer. Local shared objects have been used by all versions of Flash Player (developed by Macromedia, which was later acquired by Adobe Systems) since version 6. [1]

Contents

Flash cookies, which can be stored or retrieved whenever a user accesses a page containing a Flash application, are a form of local storage. Similar to cookies, they can be used to store user preferences, save data from Flash games, or track users' Internet activity. [2] LSOs have been criticised as a breach of browser security, but there are now browser settings and addons to limit the duration of their storage.

Storage

Local shared objects contain data stored by individual websites. Data is stored in the Action Message Format. With the default settings, the Flash Player does not seek the user's permission to store local shared objects on the hard disk. By default, an SWF application running in Flash Player from version 9 to 11 (as of Sept 1, 2011) may store up to 100 kB of data to the user's hard drive. If the application attempts to store more, a dialog asks the user whether to allow or deny the request. [3]

Adobe Flash Player does not allow third-party local shared objects to be shared across domains. For example, a local shared object from "www.example.com" cannot be read by the domain "www.example.net". [1] However, the first-party website can always pass data to a third-party via some settings found in the dedicated XML file and passing the data in the request to the third party. Also, third-party LSOs are allowed to store data by default. [4] [5] By default, LSO data is shared across browsers on the same machine. As an example:

This is distinct from cookies which have directory isolated storage paths for saved cookies while LSOs use a common directory path for all browsers on a single machine.

Application to games

Flash games may use LSO files to store the user's personal game data, such as user preferences and actual game progress. Backing up files such as these requires some technical understanding of software. However, both browser updates and programs designed to remove unused files may delete this data.

To prevent cheating, games may be designed to render LSO files unusable if acquired from another location.

Privacy concerns

As with HTTP cookies, local shared objects can be used by websites to collect information on how people navigate them, although users have taken steps to restrict data collection. [6] Online banks, merchants, or advertisers may use local shared objects for tracking purposes. [7]

On 10 August 2009, Wired magazine reported that more than half of the top websites used local shared objects to track users and store information about them, but only four of them mentioned it in their privacy policy. "Flash cookies are relatively unknown to web users," the article said, "even if a user thinks they have cleared their computer of tracking objects, they most likely have not." The article further says that some websites use Flash cookies as hidden backups so that they can restore HTTP cookies deleted by users. [8]

According to the New York Times , by July 2010 there had been at least five class-action lawsuits in the United States against media companies for using local shared objects. [9]

In certain countries, it is illegal to track users without their knowledge and consent. For example, in the United Kingdom, customers must consent to the use of cookies/local shared objects: [10] [11]

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:

Local shared objects were the first subject to be discussed in the Federal Trade Commission (FTC) roundtable in January 2010. [12] FTC Chairman Jon Leibowitz has been talking with Adobe about what it describes as "the Flash problem." [13]

User control

Users can disable local shared objects using the Global Storage Settings panel of the online Settings Manager at Adobe's website. [14] However, this places a permanent flash cookie on the computer, informing all other websites that the user does not want flash cookies stored on their computer. Users can opt out of LSOs from specified sites from Flash Player's "Settings", accessed by right-clicking the Player, or using the Website Storage Settings panel; the latter also allows users to delete local shared objects. [15]

Users may also delete local shared objects either manually or using third-party software. For instance, CCleaner, a standalone computer program for Microsoft Windows and Mac OS X, allows users to delete local shared objects on demand. There is also a Firefox add-on, Clear Flash Cookies, which will automatically clear out all LSOs each time the browser is restarted. [16]

Since version 10.3 of Flash, the Online Settings Manager (letting users configure privacy and security permissions via Adobe's website) is superseded by the Local Settings Manager on Windows, Mac, and Linux platforms. It can be accessed via the Windows Control Panel or Mac OS System Preferences. [17] Users of other operating systems still use the Adobe Online Settings Manager. Since at least April 2012 (v 11.2.202.233), updating by downloading a new Flash version resets the security and privacy settings to the defaults of allowing local storage and asking for media access again, which may be against users' wishes.

Browser control

Browser control refers to the web browser's ability to delete local shared objects and to prevent the creation of persistent local shared objects when privacy mode is enabled. As for the former, Internet Explorer 8, released on March 19, 2009, [18] implements an API that allows browser extensions to co-operate with the browser and delete their persistent data stored when user issues a Delete Browsing History command. [19] However, two years passed since its introduction until Adobe, on March 7, 2011, announced that Flash Player v10.3, which was still in development at the time, supports co-operating with Internet Explorer 8 or later to delete local shared objects. [20]

Also on January 5, 2011, Adobe Systems, Google Inc., and Mozilla Foundation finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear local shared objects. [21] Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4 and "future releases of Apple Safari and Google Chrome" to delete local shared objects, [20] so since version 4, Firefox treats LSOs the same way as HTTP cookies - deletion rules that previously applied only to HTTP cookies now also apply to LSOs. [22] [23] This caused loss of data and backward-incompatible flash application behavior [24] for those Firefox and Flash users who used HTTP cookies and Flash local shared objects for different goals. Mainly this affected flash gamers, who rely on Flash LSOs to store saved games. [25] [26] The resulting support requests cannot be solved favorably for Mozilla Firefox users without changes to the browser, because of the introduced equivalence between HTTP and flash cookies. [22] [23] Currently, the workaround in use is to either configure the browser to never clear history data and cookies or to revert the part of the changes affecting this use case, using third-party patches. [27]

As for the behavior in browser's privacy mode, Adobe Flash Player 10.1, released on June 10, 2010, supports the privacy modes of Internet Explorer, Mozilla Firefox, Google Chrome, and Safari. Local shared objects created in privacy are discarded at the end of the session. Those created in a regular session are also not accessible in privacy mode. [28] [29]

Third-party software

Viewers and editors

SoftwareDeveloperPlatformAbilitiesFirst public releaseLatest stable versionLicense
ReadWriteFormat
.minerva (GitHub)Gabriel Mariani Web platform YesYesAMF0/AMF3, JSON~2008-07-15 (1.5.1)4.1.1 (2015-01-10) BSD
.sol Editor Alexis Isaac Windows YesYesAMF0Feb. 20051.1.0.1 (2005-02-21) MPL
SOLReader Alessandro Crugnola Windows YesNoAMF0/AMF32007-10-251.0.0 (2007-10-25) ?
FlashDevelopMika Palmu, Philippe Elsass Windows YesNoAMF0/AMF32009-06-14 (3.0.0)4.4.0 (2013-04-18) MIT
SolVE Darron Schall Windows, macOS YesYesAMF0Nov. 20040.2 (2004-10-15) CPL

Libraries and frameworks

SoftwareDeveloperAbilitiesFirst public releaseLatest stable versionLicense
ReadWriteFormat
Dojo Toolkit Dojo Foundation NoYesAMF0/AMF3 (in browser via Flash)20041.9.0 (2013-05-01) BSD, AFL
PyAMF (GitHub/PyPI)Nick JoyceYesYesAMF0/AMF32007-10-070.8.0 (2015-12-17) MIT
s2x Open Source Flash Aral BalkanYesYesAMF0, XMLDec. 20030.75 (Dec. 2003)Freeware

Cleaners

SoftwareDeveloperPlatformFirst public releaseLatest stable versionLicense
PrivacyScan SecureMac.com, Inc. macOS 10.6 - 10.102012-01-301.5 Shareware
Cookie Stumbler WriteIt! Studios Ltd. macOS 10.8 - 10.92011-04-012.1.2 Shareware
Cookie SweetP Productions macOS 10.6 - 10.1020114.3.2 Shareware
Safari Cookies SweetP Productions macOS 10.5 - 10.102009-04-122.0 (2014-10-27)Freeware
MAXA Cookie Manager Maxa Research Windows  ?5.3 (2011-12-11) Shareware
Click&Clean Vlad & Serge Strukoff Windows, macOS, Linux, BSD, Firefox add-on 2010-01-23 (3.6.5.0)4.1 (2013-03-16) MIT
CCleaner Piriform (company) Windows  ? ? Freemium

See also

Related Research Articles

<span class="mw-page-title-main">Adobe Flash</span> Discontinued multimedia platform used to add animation and interactivity to websites

Adobe Flash is a discontinued multimedia software platform used for production of animations, rich internet applications, desktop applications, mobile apps, mobile games, and embedded web browser video players.

<span class="mw-page-title-main">Plug-in (computing)</span> Software component that adds a specific feature to an existing software application

In computing, a plug-in is a software component that adds a specific feature to an existing computer program. When a program supports plug-ins, it enables customization.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

Internet privacy involves the right or mandate of personal privacy concerning the storage, re-purposing, provision to third parties, and display of information pertaining to oneself via the Internet. Internet privacy is a subset of data privacy. Privacy concerns have been articulated from the beginnings of large-scale computer sharing and especially relate to mass surveillance.

Netscape Plugin Application Programming Interface (NPAPI) is a deprecated application programming interface (API) for web browser plugins, initially developed for Netscape Navigator 2.0 in 1995 and subsequently adopted by other browsers.

Adobe Flash Player is a discontinued computer program for viewing multimedia content, executing rich Internet applications, and streaming audio and video content created on the Adobe Flash platform. It can run from a web browser as a browser plug-in or independently on supported devices. Originally created by FutureWave under the name FutureSplash Player, it was renamed to Macromedia Flash Player after Macromedia acquired FutureWave in 1996. After Adobe acquired Macromedia in 2005, it was developed and distributed by Adobe as Adobe Flash Player. It is currently developed and distributed by Zhongcheng for users in China, and by Harman International for enterprise users outside of China, in collaboration with Adobe.

Add-on is the Mozilla term for software modules that can be added to the Firefox web browser and related applications. Mozilla hosts them on its official add-on website.

<span class="mw-page-title-main">HTTP cookie</span> Small pieces of data stored by a web browser while on a website

HTTP cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user's device during a session.

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

<span class="mw-page-title-main">Microsoft Silverlight</span> Application framework for writing and running rich Internet applications

Microsoft Silverlight is a discontinued application framework designed for writing and running rich internet applications, similar to Adobe's runtime, Adobe Flash. While early versions of Silverlight focused on streaming media, later versions supported multimedia, graphics, and animation, and gave support to developers for CLI languages and development tools. Silverlight was one of the two application development platforms for Windows Phone, but web pages using Silverlight did not run on the Windows Phone or Windows Mobile versions of Internet Explorer, as there was no Silverlight plugin for Internet Explorer on those platforms.

<span class="mw-page-title-main">Firefox 4</span> Firefox browser released in 2011

Mozilla Firefox 4 is a version of the Firefox web browser, released on March 22, 2011. The first beta was made available on July 6, 2010; Release Candidate 2 was released on March 18, 2011. It was codenamed Tumucumaque, and was Firefox's last large release cycle. The Mozilla team planned smaller and quicker releases following other browser vendors. The primary goals for this version included improvements in performance, standards support, and user interface.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

<span class="mw-page-title-main">Private browsing</span> Privacy feature in some web browsers

Private browsing, also known as incognito mode or private mode, is a feature available in web browsers that allows users to browse the internet without leaving any traces of their online activity on their device. In this mode, the browser initiates a temporary session separate from its main session and user data. The browsing history is not recorded, and local data related to the session, like Cookies and Web cache, are deleted once the session ends. The primary purpose of these modes is to ensure that data and history from a specific browsing session do not remain on the device or get accessed by another user of the same device.

Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independent of the user operating system, allowing web apps to run at near-native speeds, which aligns with Google's plans for ChromeOS. It may also be used for securing browser plugins, and parts of other applications or full applications such as ZeroVM.

Web storage, sometimes known as DOM storage, is a standard JavaScript API provided by web browsers. It enables websites to store persistent data on users' devices similar to cookies, but with much larger capacity and no information sent in HTTP headers. There are two main web storage types: local storage and session storage, behaving similarly to persistent cookies and session cookies respectively. Web Storage is standardized by the World Wide Web Consortium (W3C) and WHATWG, and is supported by all major browsers.

Web tracking the practice which websites and third parties collect, store and share information about visitors' activities the World Wide Web. Analysis a behaviour may used provide content that the operator their and may interest various parties, such as. Web tracking can part visitor management.

<span class="mw-page-title-main">Evercookie</span> JavaScript application programming interface

Evercookie is a JavaScript application programming interface (API) that identifies and reproduces intentionally deleted cookies on the clients' browser storage. It was created by Samy Kamkar in 2010 to demonstrate the possible infiltration from the websites that use respawning. Websites that have adopted this mechanism can identify users even if they attempt to delete the previously stored cookies.

A zombie cookie is a piece of data usually used for tracking users, which is created by a web server while a user is browsing a website, and placed on the user's computer or other device by the user's web browser, similar to regular HTTP cookies, but with mechanisms in place to prevent the deletion of the data by the user. Zombie cookies could be stored in multiple locations—since failure to remove all copies of the zombie cookie will make the removal reversible, zombie cookies can be difficult to remove. Since they do not entirely rely on normal cookie protocols, the visitor's web browser may continue to recreate deleted cookies even though the user has opted not to receive cookies.

Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

References

  1. 1 2 "What are local shared objects?". Security and privacy. Adobe Systems. Archived from the original on 2010-05-29. Retrieved 2007-12-05.
  2. "When the cookies crumbled, so did your web anonymity". The Guardian. 2014-10-04. Archived from the original on 2023-06-05. Retrieved 2023-12-28.
  3. "ActionScript Documentation Reference for Adobe Flash Platform". Adobe Systems. 2011-08-22. Retrieved 2011-09-02.
  4. "What Are Third-Party Local Shared Objects?". Security and privacy. Adobe Systems. Archived from the original on 2010-05-29. Retrieved 2011-08-15.
  5. "How to disable third-party local shared objects". Support. Adobe Systems. Retrieved 2011-08-15.
  6. Kirk, Jeremy (2009-08-11). "Study: Adobe Flash cookies pose vexing privacy questions". Network World . Network World, Inc. IDG News Service. Archived from the original on 2014-04-04. Retrieved 2009-04-10.
  7. Cohn, Michael (2005-03-15). "Flash Player Worries Privacy Advocates". InformationWeek . UBM Techweb. Retrieved 2007-12-05.
  8. Singel, Ryan (2009-08-10). "You Deleted Your Cookies? Think Again". Wired . Condé Nast Digital. Retrieved 2009-08-22.
  9. Vega, Tanzina (2010-09-21). "Code That Tracks Users' Browsing Prompts Lawsuits". New York Times . Retrieved 2011-05-05.
  10. "Part 2: Security, confidentiality, traffic and location data, itemised billing, CLI and directories" (PDF). Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003 (3.4 ed.). United Kingdom: Information Commissioner’s Office. 2006-11-30. Retrieved 2011-05-05.
  11. "Confidentiality of communications". Guide to the Privacy and Electronic Communications Regulations. United Kingdom: Information Commissioner’s Office. Archived from the original on 2011-02-24. Retrieved 2011-05-05.
  12. James Temple (2010-01-29). "All eyes on online privacy". San Francisco Chronicle. Retrieved 11 February 2011.
  13. Donald Melanson (2010-12-04). "FTC says it's talking to Adobe about the problem with 'Flash cookies'". Engadget. Retrieved 11 February 2011.
  14. "Global Storage Settings panel". Flash Player Help. Adobe Systems. 2009-07-14. Retrieved 2011-05-05.
  15. "Website Storage Settings panel". Flash Player Help. Adobe Systems. 2009-07-14. Retrieved 2011-05-05.
  16. "Clear Flash Cookies – Add-ons for Firefox". Firefox Add-ons. Mozilla. November 20, 2017. Retrieved 2018-09-29.
  17. "Adobe - Flash Player : Settings Manager". Flash Player Help. Adobe Systems. 2012-04-14. Retrieved 2012-04-14.
  18. "Microsoft Announces Availability of Internet Explorer 8". PR Newswire . Redmond, Washington: PR Newswire Association LLC. 2009-03-19. Archived from the original on 2009-03-23. Retrieved 2011-05-05.
  19. "Deleting "Flash Cookies" Made Easier". IEBlog. Microsoft Corporation. TechNet Blogs. 2011-05-03. Retrieved 2011-05-05.
  20. 1 2 Imbert, Thibault (2011-03-07). "Introduced Flash Player 10.3 beta!". Adobe AIR and Adobe Flash Player Team Blog. Adobe Systems. Adobe Blogs. Retrieved 2011-05-05. Integration with browser privacy controls for managing local storage – Users will have a simpler way to clear local storage from the browser settings interface – similar to how users clear their browser cookies today.
  21. Huang, Emmy (2011-01-12). "On Improving Privacy: Managing Local Storage in Flash Player". Adobe Flash Platform Blog. Adobe Systems. Adobe Blogs. Retrieved 2011-05-05. Representatives from several key companies, including Adobe, Mozilla and Google have been working together to define a new browser API (NPAPI ClearSiteData) for clearing local data, which was approved for implementation on January 5th, 2011. Any browser that implements the API will be able to clear local storage for any plugin that also implements the API.
  22. 1 2 Mike Beltzner (2011-01-13). "Bugzilla entry 625495 - Clear Adobe Flash Cookies (LSOs) when Clear Cookies is selected in the Privacy > Custom > Clear History" . Retrieved 2011-09-28. Change to the "on close" firefox behavior to use the new NPAPI ClearSiteData API.
  23. 1 2 Mike Beltzner (2011-01-13). "Bugzilla entry 625496 - Clear Adobe Flash Cookies (LSOs) when Cookies is selected in Clear Recent History" . Retrieved 2011-09-28. Change to the "clear recent history" firefox behavior to use the new NPAPI ClearSiteData API.
  24. Claudio Fontana (2011-07-17). "Bugzilla entry 672107 - Add configuration option to treat web cookies and flash shared local objects (LSOs) differently; destructive upgrade from older Firefox versions" . Retrieved 2011-09-28. Loss of data on upgrade bug report, feature request for treating HTTP Cookies and Flash Local Shared Objects differently.
  25. "All my saved games are gone". 2011-06-30. Retrieved 2011-09-28. Kongregate discussion about users losing data as a result of the new browser behavior.
  26. "Mozilla support question: How do I stop "delete cookies" from deleting saved games of a flash based game?". June 2011. Retrieved 2011-09-28. Mozilla support question and follow-ups: How do I stop "delete cookies" from deleting saved games of a flash based game?
  27. Claudio Fontana (2011-07-11). "firefox flash LSO revert patch" . Retrieved 2011-09-28. Third party patch to revert the firefox cookie semantic change
  28. Huang, Emmy (2011-01-12). "On Improving Privacy: Managing Local Storage in Flash Player". Adobe Flash Platform Blog. Adobe Systems. Adobe Blogs. Retrieved 2011-05-05. The ability to clear local storage from the browser extends the work we did in Flash Player 10.1, which launched with a new private browsing feature integrated with the private browsing mode in major browsers, including Google Chrome, Mozilla's Firefox, Microsoft's Internet Explorer, and Apple's Safari.
  29. Betlem, Paul (2010-06-10). "Flash Player 10.1 Now Available for Windows, Mac, and Linux". Adobe AIR and Adobe Flash Player Team Blog. Adobe Systems. Adobe Blogs. Archived from the original on 2011-05-11. Retrieved 2011-05-07.