Local Shared Objects

From FlashSec

Jump to: navigation, search
Shared Objects
Developer Macromedia/Adobe
Release
Website(s)
Documentation
Wikipedia Local Shared Objects
OSFlash

Local Shared Objects (also referenced as Shared Object, Flash Cookies, LSO or SOL) is a cookie-like data entity used by Adobe Flash Player. The application running in the Flash Player can store and retrieve data, which can consist of basic data types (such as strings or numbers) or more complex objects. The data is serialized to the user's hard disk. The Local Shared Objects are available in Flash Players starting from version 6.

Contents

[edit] Storage policy

By default, any domain containing Flash applications, can store up to 100kb of data to user's hard drive (web browser cookies have a 4kb limit). The possible storage sizes are 0kb, 10kb, 100kb, 1Mb, 10Mb and Unlimited.

If the current limit is exceeded, the user is shown a dialog requesting storage space of the next size. The user can manually override the amount by clicking the Flash application with right mouse button and selecting Settings - however, this applies only to the domain of the Flash movie. If the selected setting is smaller than the current data size, the data is deleted.

The global LSO settings can be amended at Adobe's web site using the Global settings manager. Using the manager, the LSO's can be turned off completely.

[edit] Storage location

LSOs are stored in "SOL files" (typically, files with the extension "SOL"). String data, or data containing alphanumeric characters, are stored by default within SOL files as plain text, which means that the data can easily be read by any application with read access to the files.

The default storage location for LSOs is operating-system dependent. For Windows XP, the location is within each user's Application Data directory, under Macromedia\Flash Player\#SharedObjects. Additional information is available at the Electronic Privacy Information Center's Local Shared Objects — "Flash Cookies" page.

[edit] Viewing and editing LSOs

Tools to read and edit SOL files have emerged. Examples of non-Flash SOL-file editors and toolkits include: s2x, SolVE, .sol Editor and Dojo JavaScript Toolkit.

[edit] Criticisms

Flash Player uses a sandbox security model], but, contrary to some definitions, the application does not ask the user's permission to store data on his hard disk. This may constitute a collection of cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based.

Most web browser users do not realize that web pages do not have to offer any visible signs that a Flash application is running and accessing personal information stored in SOL files. It is difficult for the user to detect whether a Flash application is utilizing SOL files.

To this day, there is little public awareness of Adobe/Macromedia's hidden, proprietary-cookie LSOs, and no widespread, well-known utility-suite, anti-spyware, or anti-adware programs that address them. Users who delete traditional cookies with such programs may find those cookies resurrected because of Adobe/Macromedia's LSOs: Tool Can Resurrect Deleted Cookies (Out-Law.com). Since LSOs, unlike traditional cookies, have no expiration dates, the information resurrected in those cookies may persist indefinitely.

[edit] External Links

[edit] SOL Format

[edit] Tutorials

[edit] Other Docs

[edit] Firefox Extensions

  • AMO: BetterPrivacy - easily remove LSOs. warning: after install ALL LSOs will be erased. 'fix' by hacking the XPI to suit