Locally Shared Objects and Flash Cookies – CompTIA Security+ SY0-401: 3.5

A number of security concerns are related to cookies and the information that we’re storing in our computer. In this video, you’ll learn about Flash cookies and how these locally shared objects can potentially leak information to the bad guys.

<< Previous Video: Cookies, Header Manipulation, and Session HijackingNext: Malicious Add-ons and Attachments >>

If you’re using Adobe Flash on your computer then you may have objects stored on your computer called locally shared objects or LSOs. Locally shared objects are also referred to as Flash cookies. And this is a place that the Flash player uses to store information on your computer. This is turned on by default and it’s very common for applications to store information that they might want to use for later. This is a stored area that applies to all the browsers you might be using and any time you would use the Flash player on your computer. So everything is in one place, in one common directory.

Ideally, the LSO can only be read by the domain that added that information into your computer. So if you had for instance, example.com stored some data as a locally shared object, only example.com would be able to access that information. Thereby creating at least some level of privacy associated with that data. Although all of this data is in a shared directory, it is still only going to limit access to that information by the domain that originally stored it. For example, if you visit a website www.example.com and it’s stored some information as an LSO, that information can only be read from Flash that is running on www.example.com. Example.com could pass that information off to another domain, but by default only the domain that created that information is allowed to view it.

If a Flash program is simply storing some local variables or information that it needs to operate, that is a pretty innocuous use of the LSO, but you can store anything is a Flash cookie. You can store browsing history. You can store information about where you are visiting and things that you’ve typed into your browser. All of that information can be stored as a Flash cookie. Many websites will use these flash cookies and they’ll store that information but they may not directly tell you that they are storing this information as a Flash cookie. And what people have found is that some of their private information has been stored on their computer without their knowledge.

There have been a number of legal challenges associated with these LSO. Sometimes the private information that you think is on your computer and not available to anyone else could be made available to a third party and because of that a number of class action suits have been created. In some countries you have to be specifically told when these particular locally stored objects are going to be used, and you have to consent to it. If you visit a website for instance in the United Kingdom, you’ll get a message on your screen that says, this website uses cookies, is that OK with you? And you have to then agree to use those locally stored objects. This is one of the latest challenges that we’ve run into regarding the use of our private information, all because of those local flash cookies that are stored on our computer.