Zombie Cookies

What is a “Zombie Cookie?”

According to Wikipedia, “A zombie cookie is any HTTP cookie that is recreated after deletion from backups stored outside the web browser’s dedicated cookie storage. It may be stored online or directly onto the visitor’s computer, in a breach of browser security.” These special cookies are stored as Flash cookies.

What makes them different?

Zombie cookies are cookies, but special cookies. To get a better understanding we have to lay down some basics first: Adobe’s Flash Player Plugin also relies on cookies, but not browser cookies. These specially-designed Flash cookies, also known as LSOs (Locally Shared Objects), are not stored in the browser’s default location; they are stored in a special area predesignated by Adobe, outside the browser. Therefore, no browser can remove them like they can your typical, run-of-the-mill cookie. Some very clever people noticed this and took advantage of it. They began storing tracking data as Flash cookies that had the ability to recreate normal cookies, effectively raising them from the dead.

Can they track me across browsers?

Short answer: Yes. Flash cookies are stored in a unique location outside of the browser and are invoked by the Flash Player Plugin. That means, if you visit a site in Google’s Chrome browser, then close it and access that same site in Mozilla’s Firefox browser, a Flash cookie can transmit information about you from Chrome to Firefox. The same stands for any browser capable of invoking the Flash Player Plugin.

What is their purpose?

This type of cookie exists for a number of reasons, but a more neutral reason is for tracking views. A lot of online advertisers pay site owners by the number of impressions their ad receives, in other words the number of unique, individual views. This seems simple enough, but like we discussed in the last article, when you delete the cookies in your browser you are seen as a new, unique user across the web. Without the ability to track you across multiple browsers and sessions–even after cache clearings–advertisers’ impression models could be gamed and artificially inflated by dishonest site owners.

How can I rid myself of these zombie cookies?

There are some manual processes of doing this with instructions strewn across the Internet, so we will not elaborate here. You might search for its filetype, “*.sol,” but proceed with caution. Since Flash Player 10.3, Adobe introduced an “Online Settings Manager,” but the fastest and most efficient way to delete these zombie cookies (and other caches) is to use CCleaner.

Do they respect privacy browsing modes?

Yes, as of June 10, 2010 with version 10.1.

Comments