Content deleted Content added
No edit summary |
|||
Line 1:
''Local Shared Object'' (LSO) is a [[cookie]]-like data entity used by [[Adobe Flash]] Player. The application running in the Flash Player can store and retrieve data, which can consist of basic data types (such as strings or numbers) or more complex objects. The data is [[serialized|serialization]] to the user's hard disk. The Local Shared Objects are available in Flash Players starting from version 6.
==
By default, any ___domain containing Flash applications, can store up to 100kb of data to user's hard drive (web browser cookies have a 4kb limit). The possible storage sizes are 0kb, 10kb, 100kb, 1Mb, 10Mb and Unlimited.
Flash Player uses a [[Sandbox (security)|sandbox security model]], but, contrary to some definitions, the application does not ask the user's permission to store data on his hard disk. This may constitute a collection of cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based.▼
If the current limit is exceeded, the user is shown a dialog requesting storage space of the next size. The user can manually override the amount by clicking the Flash application with right mouse button and selectiong Settings - however, this applies only to the ___domain of the Flash movie. If the selected setting is smaller than the current data size, the data is deleted.
The global LSO settings can be amended at Adobe's web site using the [http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html Global settings manager]. Using the manager, the LSO's can be turned off completely.
There are already reports of LSO exploitation by advertisers: [http://internetweek.cmp.com/showArticle.jhtml?articleID=160901743 Flash Player Worries Privacy Advocates (''InternetWeek'')]. Most users, including those familiar with Flash who protect themselves from cookies, are unaware of this kind of tracking, which is not curtailed by customary in-browser cookie settings and most cookie-cleaning utilities: [http://internetweek.cmp.com/showArticle.jhtml?articleID=160400749 Company Bypasses Cookie-Deleting Consumers (''InternetWeek'')].▼
== Storage ___location ==
LSOs are stored in "SOL files" (typically, files with the extension "SOL"). String data, such as one's name, address, or Social Security Number, are stored by default within SOL files as plain ASCII text, which means that the data are insecure and easily read by any application with read access to the files. SOL files may store far more information than the traditional 4K-limited cookie. The default storage limit is 100K per ___domain, but the user can set it to "unlimited". If the limit is exceeded, the user is shown a dialog requesting more storage. ▼
▲LSOs are stored in "SOL files" (typically, files with the extension "SOL"). String data, such as one's name, address, or
The default storage ___location for LSOs is operating-system dependent. For Windows XP, the ___location is within each user's Application Data directory, under Macromedia\Flash Player\#SharedObjects. Additional information is available at the Electronic Privacy Information Center's [http://www.epic.org/privacy/cookies/flash.html Local Shared Objects — "Flash Cookies"] page.▼
== Viewing and editing LSOs ==
Tools to read and edit SOL files have emerged. Examples of non-Flash SOL-file editors and toolkits include: [http://solve.sourceforge.net SolVE], [http://www.buraks.com/asv/tools/sve.html ASV SOL Viewer and Editor], [http://www.alexisisaac.net .SOL Editor], and [http://dojotoolkit.org Dojo JavaScript Toolkit].
== Criticisms ==
▲Flash Player uses a [[Sandbox (security)|sandbox security model]], but, contrary to some definitions, the application does not ask the user's permission to store data on his hard disk. This may constitute a collection of cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based.
▲
Most web browser users do not realize that web pages do not have to offer any visible signs that a Flash application is running and accessing personal information stored in SOL files. It is difficult for the user to detect whether a Flash application is utilizing SOL files.
To this day, there is little public awareness of Adobe/Macromedia's hidden, proprietary-cookie LSOs, and no widespread, well-known utility-suite, anti-spyware, or anti-adware programs that address them. Users who delete traditional cookies with such programs may find those cookies resurrected because of Adobe/Macromedia's LSOs: [http://www.out-law.com/page-5502 Tool Can Resurrect Deleted Cookies (''Out-Law.com'')]. Since LSOs, unlike traditional cookies, have no expiration dates, the information resurrected in those cookies may persist indefinitely.
▲The default storage ___location for LSOs is operating-system dependent. For Windows XP, the ___location is within each user's Application Data directory, under Macromedia\Flash Player\#SharedObjects. Additional information is available at the Electronic Privacy Information Center's [http://www.epic.org/privacy/cookies/flash.html Local Shared Objects — "Flash Cookies"] page.
| |||