Flash accidentally subverts the privacy mode of newer browsers?

Pretty much all of the popular browsers now support a “private browsing” mode. The whole concept of this mode is to prevent any history of your browsing activities from being recorded. The problem is that there is nothing forcing browser extensions to respect this mode of operation.

I’ve recently discovered that Flash player’s settings system stores settings for every site which references flash player. This is a nice usability feature. It allows your flash related settings to work across browser sessions, even different browsers as long as you remain in the same account. But, the filing system itself is also a history of all flash enabled sites you’ve visited.

On my Linux box, I have the following directory:

~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys

I also found a similar directory on my windows 7 box, so this is not just a Linux phenomenon. In this directory is a bunch of directories whose names are things like “#mail.google.com” and “#viddler.com”, each of which has a settings.sol file containing the flash settings for that particular domain. These get created and updated regardless of privacy mode and any history clearing you ask your browser to do.

Fortunately, these files are safe to delete (they’ll just get recreated if needed). If you go to: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html, there are settings there that allow you to manage the offline storage settings, but from my quick tests it seems that the folders are created even when you set the allowed storage to 0Kbs.

Obviously this doesn’t give a complete list of all sites that were visited, but lets face it, much of the questionable content on the internet is served by flash.

Yet another reason to use noscript.

2 thoughts on “Flash accidentally subverts the privacy mode of newer browsers?

  1. Pingback: Can Google Chrome Help Secure Web Browsing? | Error Fix

  2. Nick Coleman

    I have a cron job that runs every week to delete everything below the ~/.macromedia directory. I admit I don’t understand the purpose of everything in those sub-dirs, but I don’t care. Flash has got to the point where it is a real security and privacy risk, so I figure I am safeguarding myself with the small risk of shooting myself in the foot a little bit.

Leave a Reply

Your email address will not be published. Required fields are marked *