TAGS: #adobe
Adobe Flash Player: a greater risk to privacy and security than you may realize
Do you know that if you have Adobe’s Flash Players plugin installed on your web browser that your internet activity and history is potentially being tracked and used without your knowledge or permission? Just managing your web browser’s tracking cookie through your web browser doesn’t prevent your internet browsing activity, and its history, from being tracked. Additionally, just keeping your computer current and fully patched with all of Microsoft’s critical updates keeps your computer safe from hackers, think again. Even using an antivirus program, with the most current virus definitions current doesn’t always prevent your computer and privacy from being at risk.
Recently I came across a news article that caught my eye. It was a New York Times technology piece with the title “Code that tracks users’ browsing prompts lawsuits” (Vega, 2010). This article reports about the increasing number of consumers taking legal action against companies that track their web activity without the consumer’s knowledge or permission. Adobe’s Flash Player is the main conduit for capturing this tracking data. This isn’t the first time that Adobe’s Flash player has created legal privacy issues. In 2008, Windows Secrets Newsletter published an article on Adobe’s Flash cookie privacy issues. Recently they published another article called “Eliminate Flash-spawned “zombie” cookies” following up on the same issue (Leonhard, 2010). Adobe has done little to resolve this issue. These law suits are directed at Adobe and other companies that collect and sell information about your web browsing activity without your knowledge or permission. Another ominous contention is that some companies are surreptitiously using Flash cookies to glean information from your browser, even though you have your web browser set to reject tracking cookies.
How does this happen
Adobe’s Flash Player browser plugin uses and stores Flash cookies on your computer, separate from your better known browser HTML cookies. Both types of cookies are used to store browsing and site preferences, along with your browsing history and tracking information. Flash cookies, like your web browser cookies, are small bits of data saved by the websites you visit. These websites use these cookies to store website settings and info (like your name, preferences, Flash game scores, etc.), to track website behavior, and to target you for specific advertisements. They can also create what is known as persistent identification element to uniquely identify you and track what websites you have visited.
Flash cookies are not managed through your web browser’s cookie settings. This same Flash cookies storage area can also be used to store a copy of your browser’s cookies, allowing Adobe’s Flash to recreate cookies that have been previously deleted from your browser, i.e. spawned ‘zombie’ cookies.
What to do to protect yourself
Adobe doesn’t make it easy for users to manage Flash cookies. By default, when Flash Player is installed, it automatically allows third parties to store and access your computer. To change these settings you need to access Flash’s Global Setting Manager. The easiest, most straight forward way to get started is to open your web browser and copy the Adobe URL listed in my references (Ezinearticles does not allow me to place the link here). Or do a Google search on: “adobe flash player setting manager.” The macromedia.com link should be the first and second items found.
This will take you to the Global Setting panel for Adobe’s Flash Player (see Adobe Flash Player Global Setting Manager below). The image embedded on the web page is the actual management console, not a picture. The current version of this panel has eight panels or tabs. Each tab covers a different aspect of privacy and security. You may want to add this to your browser’s Favorites for future reference.
Adobe Flash Player Global Setting Manager Global Privacy Settings
The first tab on the Global Setting Manager is for your computer’s camera and microphone settings. You have the option of setting this as “Always deny…” or “Always ask…” The “Always ask…” option forces the Flash Player to ask for your permission before allowing a third-party to access your computer’s camera and microphone. “Always deny…” does just that, it always denies permission to access your camera and microphone. You will not receive any notification that a third-party tried to access either your camera of microphone with this option.
Your current settings are not displayed. Clicking on “Always deny…” or “Always ask…” overrides any previous global setting made for this. This setting is for sites you have not already visited. I recommend that you select the “Always ask” option. This will allow you the option of using an interactive flash site, requiring the use of your camera and microphone. You will be prompted to confirm your selection.
You will always be prompted for your permission at any website requesting access to your camera and microphone.
Global Flash Cookie Storage Settings
The second tab of the Global Setting Manager controls how much disk space you will allow for new web sites (third-parties) to store information, Flash cookies, on your computer. By denying all, you may prevent some websites from functioning correctly.
This panel determines the amount of disk space you will automatically allow third-parties to use for websites you have not already visited. Some websites may not function correctly if you do not allow some disk space storage. This is the total amount for each website. If a website needs or wants more you will receive a prompt to allow or disallow this additional space (see below). Your installed Flash Player must be version 8, or newer, to have the option of allowing or disallowing third-party flash content. If your Flash version is older than version 9, you will not have the option to allow/disallow storage and sharing of common Flash components.
The suggested settings that work for me are shown above. The Allow third-party Flash, and Store common Flash, are needed by a lot of sites to allow them to function correctly.
Global Security Settings
The third tab is the Global Security Settings panel. This panel controls how Shockwave Flash (SWF) and Flash Video (FLV) are handled. The problem with these types of files is that they can contain applets or computer scripts that can be used to collect and share information about you without your knowledge or permission. Both SWF and FLV files can be embedded on web pages. These files can and do exchange audio, video, and data using Macromedia’s Real Time Messaging Protocol. It is possible for SWF or FLV content stored locally on your computer to communicate with the Internet without your knowledge of permission.
I recommend setting this to “Always ask.” If a website needs to store Flash cookies on your computer, you will be prompted for permission. By being prompted, you will be aware of the website’s tracking activity.
Global Flash Update Notification Setting
The fourth tab is the Global Notification Settings panel. This is where you set how often Flash checks for updates. I recommend enabling this feature and having Flash check for updates at least every seven days. I strongly recommended that Flash updates be installed as soon as possible for security reasons. By keeping your Flash Player updated, you make the malicious code writers’ job just a little harder. The security vulnerabilities for Flash Player plugins are very well-known.
After installing any Flash updates you should validate that your privacy and security settings have not changed. With previous Flash updates, the settings within the Flash manager have reverted back to default, i.e. wide-open, settings.
Protected Content/License Settings
The fifth tab is the Protected Content Playback Settings panel. When you purchase or rent Flash “protected” content, license files are downloaded to your computer. Sometimes these files become corrupted. By resetting these files, new licenses can be downloaded. This option should only be used when protected Flash content is not playing correctly, and a technician has advised you to reset the licenses files. This will reset ALL license files stored on your computer; you are not able to select individual files.
If you click on the “Reset License Files” button you will be prompted to confirm or cancel your selection.
Website Privacy Settings
The sixth tab is the Website Privacy Settings panel. This is the list of websites you have granted permission to store data on your computer. This panel is where you can “Always ask,” “Always allow,” or “Always deny” access you your computer’s camera and microphone.
The recommended setting is “Always ask” or “Always deny.” You can edit these by highlighting the website and change the permission or delete the website. You can also remove all the websites from this list by selecting “Delete all sites.” The settings on this panel override the default setting from the Global Privacy Settings panel for these particular websites.
If you choose to delete a website from this list you are prompted for confirmation.
Note: The list of websites displayed in this and the following panels are stored on your computer and displayed to allow you to view and change your local settings. Adobe claims that it has no access to this list, or to any of the information that the websites may have stored on your computer.
Website Storage Settings
The seventh tab is the Website Storage Settings panel. This lists all the websites that you have visited that use Flash content, and how much storage they are using on your computer. You can change the amount of storage you allow, delete individual websites, or all the websites. This panel overrides the Global Storage panel settings.
On a Windows 7 computer, the storage location for these files is: C:Usersuser_nameApplication DataMacromediaFlash Player in a folder called #SharedObjects or a subfolder of: macromedia.comsupportflashplayersys.
Note: Deleting the website using the Flash Global Settings Manager only removes the website’s storage content; it does not remove the folder created for the website. An empty folder will remain on your computer.
By selecting a website and using the “Delete website” button, you can delete that website from the list of visited websites. This also removes all data that the website has stored from this storage area.
Peer-Assisted Networking Settings
The last tab is the Peer-Assisted Networking Settings panel. This is where you allow or disallow users who are playing the same content to share your bandwidth. If you are not on a broadband internet connection, you never want to use this option. When in use, this option increases network traffic on your internet connection and to your computer.
It is recommended that you disable this option. This will not prevent Flash from working.
Other Notes and Considerations
The current versions of Internet Explorer 8 and Firefox version 3.6 share the same Flash settings. Changing or updating Flash through this console makes the changes for both. To verify this, validate the Flash Management console from within each web browser you use.
After installing any Flash updates you should validate that your privacy and security settings have not changed. With previous Flash updates, the settings within the Flash manager have reverted back to default, i.e. wide-open, settings.
On a Windows 7 computer, you can manually manage Flash cookies by navigating to: C:Usersuser_nameApplication DataMacromediaFlash Player in a subfolder located at #SharedObjectsnonsensical-filename and macromedia.comsupportflashplayersys. Deleting the website using the Flash Global Settings Manager only removes the website’s storage content; it does not remove the folder created for the website. An empty folder will remain on your computer in the C:Usersuser_nameApplication DataMacromediaFlash Playermacromedia.comsupportflashplayersys folder. The Application Data folder is a hidden systems folder. You will have to have hidden directories visible using the “Show hidden files, folders, and drives” option under the Fold Folder View option. You may also need systems permission to actually view and navigate these directories on a Windows 7 computer.
Instead of doing this manually, you can also use a free utility like Flash Cookie Cleaner 1.0, produced by ConsumerSoft (www. ConsumerSoft.com). This product will clean up and eliminate unwanted and unneeded Flash cookies in both the #SharedObjects and macromedia.com subfolders. This is a much simpler and more efficient way to clean up Flash cookies. You can download this free program from: http://www.flashcookiecleaner.com/ . This utility is free of spyware, adware, viruses, and other malicious programs. Download and save this file to your desktop and run it from there. This is a stand-along program that does not install itself on your computer.
References
Adobe – Flash Player: Help. (n.d.). Adobe. http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html
ConsumerSoft – Freeware Products. (n.d.). ConsumerSoft.
Leonhard, W. (2010, August 5.). Eliminate Flash-spawned “zombie” cookies. Windows Secrets.
Vega, T. (2010, September 20.) Code that tracks users’ browsing prompts lawsuits. The New York Times.
To request a pdf of the article with screen shot please visit the Friend Consulting web site and send an email from there with the Title: Adobe Insecurity.