A Local Shared Object (LSO) is a collection of cookie-like data stored as a file on a user's PC. LSOs are used by all versions of Adobe Flash Player and those subsequent to Version 5 of Macromedia's now-obsolete Flash MX Player[1].
Security Issues
Hidden Control Panel for Automatic-Opt-In LSO Cookies
Adobe claims that Flash Players use a sandbox security model, but, contrary to that definition, Flash Players do not seek the user's permission to store on his hard disk LSO files, which contain cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based.
LSOs — an automatic, invisible opt-in for anyone installing any Adobe Flash Player — are not temporary files, and there is, deliberately as designed originally by Macromedia and continued by Adobe, no obvious control panel to opt out of them. Instead, the user who wishes to maintain his privacy must:
- Discover on his own their presence ([1]). No LSO cookie warning is ever provided during Flash-Player installation.
- Connect the LSO-affected PC to the Internet. Unlike other plug-ins such as Java, QuickTime, Adobe Gamma, etc. that have obvious Windows Control-Panel entries for settings adjustments, and browsers such as Firefox, Internet Explorer, Opera, etc. that have widely advertised option menus that permit the user to view and eliminate cookies, the Adobe Flash Player hides its LSO settings and will only permit their display if the PC is Web-connected to Adobe's URL-unfathomable "Global Settings Manager" Web page.
- Find out on his own the URL of the Adobe Web-site page ([2]) whose links activate the Flash Player plug-in and then expose the hidden, Flash-based LSO-opt-out "Global Settings Manager" control panel.
User Privacy Compromised via Local Shared Objects
There are already reports of LSO exploitation by advertisers: Flash Player Worries Privacy Advocates (InformationWeek / InternetWeek). Most users, including those familiar with Flash who protect themselves from cookies, are unaware of this kind of tracking, which is not curtailed by customary in-browser cookie settings and most cookie-cleaning utilities: Company Bypasses Cookie-Deleting Consumers (InformationWeek).
To this day, there is little public awareness of Adobe's hidden, proprietary-cookie LSOs, and no widespread, well-known utility-suite, anti-spyware, or anti-adware programs that address them. Users who delete traditional cookies with such programs may find those cookies resurrected because of Adobe's LSOs: Tool Can Resurrect Deleted Cookies (Out-Law.com).
Since LSOs, unlike traditional cookies, have no expiration dates, the information resurrected in those cookies may persist indefinitely.
Additional information is available at the Electronic Privacy Information Center's Local Shared Objects — "Flash Cookies" page.
User PCs Compromised via Flash Players
Specially crafted files have been shown to cause Flash applications to malfunction, by allowing the execution of malevolent code. The Flash Player has a long history of security flaws that expose computers to remote attacks. Security advisories published in:
-
- "Macromedia Shockwave Flash: Malformed Header Overflow" (eEye Digital Security, August 2002),
- "Macromedia Shockwave Flash: Malformed-Header Overflow #2" (eEye Digital Security, December 2002),
- "Macromedia Flash Player: Flash-Cookie Predictable-File-Location Weakness" (SecurityFocus, October 2003),
- "Macromedia Flash Player: Improper-Memory-Access Vulnerability" (eEye Digital Security, November 2005),
- "Adobe Flash Player/Plug-in: Video-File-Parsing Remote Code Execution" (SecurityFocus, July 2007), and
- "Adobe Flash Player's DeclareFunction2 Invalid-Object-Use Vulnerability" (SecurityFocus, April 2008)
are just a few of the many vulnerability and exploit reports[2] about various Flash Player versions that allowed the takeover of a victim's PC, whether the viewed Flash SWF file had been embedded in a Web page, sent in an e-mail, or downloaded by the user.
Location of LSO Files
The default storage location for LSO files is operating-system dependent.
- Windows: LSO files are stored typically with a ".SOL" extension, within each user's Application Data directory, under Macromedia\Flash Player\#SharedObjects.
- Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/Flash Player. For AIR Applications, ~/Library/Preferences/[package name (ID) of your app].
- GNU-Linux: ~/.macromedia
Additional information is available at the Electronic Privacy Information Center [3].
Firefox Extension "Objection"
For the Firefox Web browser, there is an extension called Objection [4][5] that allows the user to view and delete LSOs.
Programming
The Flash Player allows Web content to read and write LSO data to the computer's local drive on a per-domain basis[6]; such data may preserve session state and record user data and behavior[3].
A Flash application may store up to 100kb of data to user's hard drive (browser cookies have a limit of just 4kb)[6]. The defined storage sizes are 0kb, 10kb, 100kb, 1Mb, 10Mb, and Unlimited[7]. If the current limit is exceeded, the user is shown a dialog requesting storage space of the next size. The user may override the amount manually by clicking the Flash application with right mouse button and selecting Settings; however, this applies only to the domain of the Flash movie. If the selected setting is smaller than the current data size, the data is deleted.
LSO settings may be amended by the user, only by browsing Adobe's Flash-laden Web page that invokes Adobe's "Global Settings Manager" control panel[7][8].
LSO Editors and Toolkits
Operating-System Support
References
External links
|
Adobe Flash |
|
| Flash-specific file formats |
|
|
| Other versions |
|
|
| Related topics |
|
|
|
