Flash accidentally subverts the privacy mode of newer browsers?

Pretty much all of the popular browsers now support a “private browsing” mode. The whole concept of this mode is to prevent any history of your browsing activities from being recorded. The problem is that there are nothing forcing browser extensions to respect this mode of operation.


I’ve recently discovered that Flash player’s settings system stores settings for every site which references flash player. This is a nice usability feature. It allows your flash-related settings to work across browser sessions, even different browsers as long as you remain in the same account. But, the filing system itself is also a history of all flash-enabled sites you’ve visited. On my Linux box, I have the following directory:

~/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys

I also found a similar directory on my windows 7 box, so this is not just a Linux phenomenon. In this directory is a bunch of directories whose names are things like “#mail.google.com” and “#viddler.com”, each of which has a settings.sol file containing the flash settings for that particular domain. These get created and updated regardless of privacy mode and any history clearing you ask your browser to do.

Fortunately, these files are safe to delete (they’ll just get recreated if needed). If you go to: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html, there are settings there that allow you to manage the offline storage settings, but from my quick tests, it seems that the folders are created even when you set the allowed storage to 0Kbs.

Obviously, this doesn’t give a complete list of all sites that were visited, but let’s face it, much of the questionable content on the internet is served by flash.

Yet another reason to use noscript.