Macromedia has hacked all your computers

Flash Cookies a well kept secret of the Internet.


Local Shared Objects (LSO), commonly called flash cookies, are collections of cookie-like data stored as a file on a user's computer. LSOs are used by all versions of Adobe Flash Player and Version 6 and above of Macromedia's now-obsolete Flash MX Player.

Flash Players use a sandbox security model. With the default settings, Adobe Flash Player does not seek the user's permission to store LSO files on the hard disk. LSOs contain cookie-like data stored by individual web sites or domains. Indeed, as with cookies, online banks, merchants or advertisers may use LSOs for tracking purposes.

The current version of Flash does not allow 3rd party LSOs to be shared across domains. For example, an LSO from "www.example.com" cannot be read by the domain "www.example2.com".

However, any domain can read the master LSO, which contains a listing of all LSO placing websites visited.

LSOs can be used by web sites to collect information on how people navigate those web sites even if people believe they have restricted the data collection. More than half of the internet’s top websites use LSOs to track users and store information about them. There is relatively little public awareness of LSOs, and they can usually not be deleted by the cookie privacy controls in a web browser. This may lead a web user to believe a computer is cleared of tracking objects, when it is not.

Several services even use LSOs as surreptitious data storage to reinstate traditional cookies that a user deleted, a policy called "re-spawning" in homage to video games where adversaries come back to life even after being "killed". So, even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as "backup." In USA, at least five class-action lawsuits have accused media companies of surreptitiously using Flash cookies