Adobe Flash Player uses special cookies called Local Shared Objects (LSO’s) which are immune to normal cookie deletion. Most people have heard of cookies (small text files stored on your computer) and the associated privacy risk – because they can be used to track your computer activity.
Many web browsers are set to delete all cookies automatically when the browser closes so you might think all cookies would be deleted? Think again, Flash Player employs LSO’s – you won’t find them in your browser’s history and they are independent of browsers so even uninstalling the web browser wouldn’t delete them.
Are Flash Cookies A Risk? Cookies are usually viewed as a minor privacy risk – they are limited in size to just 4KB (Kilobytes) and are easy to delete. However, Flash Player cookies (LSO’s) store more data (up to 100KB) and are more difficult to remove – assuming you even know where they are, which most people don’t…
LSO’s can also be used to decide whether a website is able to access your webcam and microphone, a feature that has been subverted by malicious sites in the past to spy on and record people in their own home – candid camera for the Facebook generation!
Remember that Flash Player is used to display flash animations and videos so Flash LSO’s provide a list of websites where such content was viewed – maybe fine if it was YouTube but fairly incriminating if the list of websites reads like a naughty dictionary of the letter X. In our computer repair business we are often asked by concerned parents to look for signs of adult material that teenagers may have browsed on the family computer (usually leaving it a virus infested mess).
Of course most teenagers are PC-literate enough to have covered their tracks by erasing the browsing history, cookies and recently opened files – some may even use the excellent Ccleaner for this purpose. However, even Ccleaner can’t erase LSO’s so a quick look at the LSO website list gives their mucky pup game away
Where Are Flash Cookies Stored?
The list of websites is actually managed online by the Website Storage Settings Manager at Adobe’s website here. Note: The Settings Manager that you see on that webpage is not an image – it is the actual Settings Manager for your computer. You can click the tabs to see different panels, and click the options in the panels to change your Adobe Flash Player settings. You may be surprised how many websites there are in the list!
The Settings Manager reads the LSO’s stored on your computer – the actual cookie files can be found in the following folder on your main hard drive (usually C: drive) – Users (or ‘Documents and Settings’ in XP) / ‘your user account name’ / application data / Macromedia / Flash Player / Macromedia.com / support / flashplayer / sys. Within this ‘sys’ folder you will see folders created by each website (e.g. #websitename) and within each of these folders is stored the actual website flash cookie – it is a .sol file.
How To Delete These Flash Cookies?
You need to delete them in 2 places:
- In the Website Storage Settings Panel click ‘Delete All Sites’ and click Confirm to delete them – this deletes the website names from the Settings Manager and also deletes the .sol files within each folder in the ‘sys’ folder but it leaves the folder names in the ‘sys’ folder intact (which still provides an audit trail of websites you have visited – not much use for hiding all those juicy ‘x’ addresses!)
- In the ‘sys’ folder on your computer, delete all the #websitename folders to delete the folder names – and then empty the recycle bin.
What A Hassle!
It’s been like that for years (whilst most people have been blissfully unaware of flash cookies at all) but it is soon to be made easier when Adobe release Flash Player version 10.3. This new version will allow web browsers to automatically erase the LSO’s the same as all normal cookies when the browser history is deleted. Internet Explorer and Google Chrome already support this upcoming change and we are sure Firefox will too by the time Flash 10.3 is released.
Details are sketchy though – it remains to be seen whether the actual folder names will be deleted in the ‘sys’ folder as well as in the online Settings Manager – if they aren’t it will remain a privacy concern if someone has access to your computer.