gitmyhub

evercookie

JavaScript ★ 4.7k updated 1y ago

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.

Evercookie is a JavaScript research library that stores a tracking identifier in over a dozen browser locations simultaneously so that clearing standard cookies alone cannot remove it, a technical demonstration of browser storage depth.

JavaScriptPHPsetup: moderatecomplexity 3/5

Evercookie is a JavaScript library that creates extremely persistent tracking identifiers in a browser. It stores a unique value across as many browser storage locations as possible at once, so that even if a user deletes their standard cookies, Flash cookies, or HTML5 storage, the identifier can be restored from any copy that survives.

The approach works by writing the same value to more than a dozen different places: standard HTTP cookies, HTML5 local and session storage, IndexedDB, Flash Local Shared Objects, Silverlight isolated storage, HTTP ETags, browser cache, canvas PNG data, and more. If any one of those copies survives a cleanup, evercookie reads it and re-writes the value to all the others. The result is that clearing cookies in the usual way does not actually remove the identifier.

Some mechanisms require a server-side component. The repository includes PHP scripts for the ETag, cache, and canvas PNG backends. Node.js and Django ports exist as separate projects. The Java-based mechanisms, which can even share identifiers across different browsers on the same machine, are maintained in a companion repository.

The library is a research and demonstration project by Samy Kamkar. The README is direct about the risks: some mechanisms load Flash or Silverlight on page load, which can slow older machines significantly, and the CSS history approach can trigger a large number of HTTP requests. The author notes that using evercookie on real websites can damage user trust and reputation.

Browser vendors have steadily closed many of the storage loopholes this project relies on, so a number of mechanisms no longer work in modern browsers. Several future ideas are listed in the README as unimplemented. The project is best understood as a technical demonstration of how many separate browser storage locations exist, rather than a tool meant for production use.

Where it fits