Security researcher Samy Kamkar has released a particularly insidious tool designed to create browser cookies that you simply can't delete - the Evercookie API.
Using a raft of techniques, Kamkar is able to generate a series of cookies that can survive multiple purges and even track a user between browsers.
works by creating a series of linked cookies using a variety of different storage methods: standard HTTP cookies, which can be cleared from the browser; Local Shared Objects via Flash, which only operate when a Flash plug-in is installed but require a separate clean-up and which can be detected from any Flash-enabled browser; HTML5's session storage, local storage, global storage, and database storage via SQLite; cleverly manipulated page titles that store cookie information in the browser's history; and, most impressively of all, a cookie in the form of specific RGB values in an auto-generated PNG, which is forced into cache and read back using HTML5's Canvas tag.
If that list isn't impressive enough, Kamkar is also looking to add more vectors to the list, including Silverlight's Isolated Storage and HTTP ETags.
The insidious nature of the Evercookie is that it only takes a single element to remain, and the next time an Evercookie-enabled site is visited, all elements will be recreated with the original tracking information intact.
Currently, that information is limited to a single value between one and 1,000 - not enough for individual tracking applications. Kamkar, however, has released the source code for the project, meaning that anyone wanting to track users can start to use the techniques he has developed immediately.
Clearly, Kamkar's creation has major implications for privacy although he states that "I've found that using Private Browsing in Safari will stop ALL evercookie methods after a browser restart
." It's likely that advertisers will start to pick up Kamkar's techniques soon, and as more vectors are added to the Evercookie, it will become harder to avoid its tracking.
Are you shocked that someone would work on such a privacy-destroying creation, or merely disappointed that anyone would think the Evercookie was a good idea? Share your thoughts over in the forums