Flashkies? Cooshes? Something like that.

Settings tab for a Flash 6 movie

Macromedia Flash MX - Using local shared objects in Macromedia Flash MX

If you haven't heard yet, the Flash 6 player is out and will probably be installed on your machine before long. Well, you should know that it includes the capability to store data on your computer, much like a web browser's "cookie" feature. Here's a demo of it (note, running demo will upgrade you to the Flash 6 player if you haven't already). The demo created a "local shared object" file that it placed in this location on my computer: C:\Documents and Settings\Brad\Application Data\Macromedia\Flash Player\macromedia.com\support\flash\ts\documents\local_so\local_so.swf\flashcookie.sol. I expect the contents under that "Flash Player" directory to mushroom in the coming months.

For the paranoid web surfer, this could be a problem because it's all done through the Flash plugin-- your cookie blocking software won't block them. And a domain (by default) can store up to 100 kilobytes of data (compare that to the 4 kilobyte limit set by some browsers). Here's Macromedia's security white paper that's supposed to make you feel all warm and fuzzy about this.

For the application developer, this means that you can create robust, rich (and fat) clients to your web services, storing and retrieving persistent Flash objects on the user's hard drive. And, that data is accessible even if the user switches from one browser to another because the data is owned by the Flash player, not the browser.

For the advertiser, this feature is pure gold. Your Flash ads can now better track the user and can communicate with the page (via JavaScript) too, so you can embed all kinds of logic and metadata that can be tracked across domains AND communicated back to your servers (as long as the Flash movie was served from one of your servers).

For you crackers/script kiddies out there, roll up your sleeves. There's got to be holes left in this new technology and it's just too irresistible to pass up. Better yet, Flash movies running from e-mails don't run in the security sandbox enforced on web documents, so that makes your job a lot easier (granted, there are no local file access functions in Flash, but if the player can access the local file system chances are good there is a buffer overflow that can be exploited to do so).

NB: While you can disable this feature on a site-by-site basis (right click on Flash movie, choose 'Settings' and click on the little folder tab for local storage options), I've yet to find a setting anywhere that disables the Flash local shared objects altogether.

2 Comments

chris.L said:

you can disable the shared objects altogether. In the flash player properties, accessible by right-clicking on a Flash movie, set the max cookie size slider bar to 0. Doing so causes a prompt to be shown to the user every time a movie asks them to store something. They can allow or deny it at that point.

http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/actionscript_dictionary648.html

mike said:

the LSO is also just a text file.. so unless the SWF has encrypted it you can open it in a text editor and see the data that's being stored.

About

This article was published on May 30, 2002 11:31 PM.

The article previously posted was Fun with MRIs.

The next article is EarthViewer 3D.

Many more can be found on the home page or by looking through the archives.

Powered by Movable Type