Flash to offer more control over cookies

Adobe will build in Control Panel access to Flash Player security settings, but is it too little, too late?

Most users are already aware of the risks presented by cookies, the small data files that browsers save on our computers to remember things like login details, or Website preferences. Although arguably harmless, cookies can be used to track visitors across different Websites, and advertisers are increasingly using them to target ads based on our Web surfing habits.

The capability to clear out cookies is built into every browser, but few people realise that Adobe Flash Player--the plug-in used to provide YouTube video and Web games--has a similar system that's annoyingly difficult to monitor and clean. This has led to Websites abusing the system in order to track users.

Flash Player refers to its system of small data files as local shared objects, or LSOs, although the rest of the world calls them Flash cookies. They're typically used to store login details for Websites, or perhaps game scores on Flash games. They can even be used to store larger amounts of data for Flash applications, such as image editors or office programs.

You can see how many LSOs are stored on your system by visiting the Global Storage Settings panel page on Adobe's Website. You can also clear LSOs there and discover what sites they came from (although beware that porn sites are some of the heaviest users and abusers of LSOs, so if you're viewing the LSOs of a shared computer, you could dig-up dirt you weren't expecting.)

You might be wondering why you have to visit Adobe's Website to clear data on your own computer. That's a very good question and has been asked by many. Adobe's excuse might be that Flash Player is a plug-in, and as such lacks a user interface.

The good news is that in conjunction with privacy advocates Adobe has begun work on a number of systems to make it infinitely easier to control LSOs. For example, forthcoming releases of Flash player will add an applet to Control Panel (or System Preferences on a Mac) to allow the same degree of control over LSOs as can be found at Adobe's Website.

Adobe has also been working with Mozilla and Google to integrate LSO management features directly into Firefox and Chrome, respectively. This is courtesy of a new Application Programmer Interface (API) that theoretically can be easily added into any browser by developers. Sadly, there's no news whether Microsoft or Apple will be doing so for Internet Explorer and Safari, and given Apple's rocky relationship with Adobe in recent times, it might be unlikely.

Although the browser control panel will be along soon in Chrome and Firefox, those eager to get a look can try downloading developer builds of Google Chrome in the coming weeks and searching through the Preferences dialog. Beware that these releases haven't even reached the beta stage, however, so won't be stable.

Adobe's work is undoubtedly being spurred on by substantial privacy concerns. Last year entertainment companies Disney, Warner Bros. Records, and others were sued for allegedly tracking users, many of whom were minors, using Flash Player LSOs. Additionally, the University of California at Berkeley published a paper showing how LSOs can be used by nefarious individuals to recreate cookies that the user has chosen to delete. Up to 50 per cent of sites were caught doing so, in fact.

Flash Player has been under attack from all directions in recent times, with Apple leading the charge and pointing out that Flash is to be superseded by HTML5, which will be built into every browser. For this reason Apple does not include Flash Player on its iPhone or iPad devices, and has also begun leaving it off MacBook Air computers, possibly because of battery drain issues.

However, although cynics might suggest that Adobe's efforts are too little, too late, the fact is that--imperfect as it is--Flash is still a strong contender for providing interactive and multimedia content online for some time to come. As well as addressing security issues, forthcoming releases of Flash Player are also to be significantly more efficient, and will therefore drain laptop batteries less.

Demonstrations of multimedia and interactive functionality via HTML5 are still novel enough to raise eyebrows and engender a short round of applause--hardly a sign that HTML5 is yet mature enough to push aside a more established technology, regardless of security issues.

Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityspambrowser securityvirusessecurityAdobe Systemsphishingflashprivacy

More about Adobe SystemsAppleGoogleMicrosoftMozillaWarner Bros

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place