Evercookie: All Your Privacy…

Web CookieEvercookie is an open source javascript API that produces virtually irrevocable persistent cookies (hence the name) with the goal of identifying a client even after they’ve removed standard cookies, Flash cookies and other usual forms of cookies.

Evercookie accomplishes this by storing the cookie data is some novel ways and locations:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite
  • Storing cookies in Web History

To top it all off, if a user deletes most of the cookies as long as one of the cookies remains, it will be discovered and the others will “come back”.

It even works cross browser.

If a users switches to a new browser, as long as the Local Shared Object cookie is present, the cookies will reproduce on the new browser.

What if the user deletes their cookies?

That’s the great thing about evercookie. With all the methods available, currently eight, it only takes one cookie to remain for most, if not all, of them to be reset again. For example, if the user deletes their standard HTTP cookies, LSO data, and all HTML5 storage, the PNG cookie and history cookies will still exist. Once either of those are discovered, all of the others will come back (assuming the browser supports them).

Does this work cross-browser?

If a user gets cookied on one browser and switches to another browser, as long as they still have the Local Shared Object cookie, the cookie will reproduce in both browsers.

Does the client have to install anything?

No, the client simply uses the website without even knowing about the persistent data being set, just as they would use a website with standard HTTP cookies.

To download the source code or learn more about these cookies which appear to solve the cookie persistence problem and could have large implications for user tracking by visiting Sammy Kamkars site.