Deleting cookies from computer.


P

Peter Jason

Win7 SPi Firefox 22

I have turned off the cookies in Firefox, but when
I run CCleaner the same set always appears on its
result screen. Where are the cookies stored in
Windows Explorer so that I check it out? The
cookies always appear only when I start up
Firefox.
Peter
 
Ad

Advertisements

N

Nil

I have turned off the cookies in Firefox, but when
I run CCleaner the same set always appears on its
result screen. Where are the cookies stored in
Windows Explorer so that I check it out? The
cookies always appear only when I start up
Firefox.
They are not stored in any human-readable form. Firefox cookies are
stored in a MySQLite database called cookies.sqlite in the profile
folder.
 
P

Peter Jason

They are not stored in any human-readable form. Firefox cookies are
stored in a MySQLite database called cookies.sqlite in the profile
folder.
I found the file & renamed it. But Firefox
generates a new one automatically and then lists
the same cookies. Something is regenerating the
cookie list.
 
P

Peter Jason

Get these two extensions for Firefox:

Better Privacy

Foundstone HTML5 Local Storage Explorer


Just click on Firefox in the upper left hand corner of the screen and
then click on addons and search for them. You can then delete them or
block them.

You probably have Adobe Flash Player installed. That's where the
cookies are coming from.
Thanks, I have downloaded them for a try.
Peter
 
P

Paul

Peter said:
I found the file & renamed it. But Firefox
generates a new one automatically and then lists
the same cookies. Something is regenerating the
cookie list.
So you have reached this conclusion, based on the
file size of the Firefox "cookies.sqlite" ?

Or, some software is reading the file for you ?

*******

Mine is 226,304 bytes right now, and it is empty.

If I run the following command in a command prompt window...

sqlite3 cookies.sqlite .dump > cookies.txt

I get this for a result. There is no cookie in here.
A cookie would have an IP address.

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT,
host TEXT, path TEXT,expiry INTEGER,
lastAccessed INTEGER, isSecure INTEGER,
isHttpOnly INTEGER);
COMMIT;

Now, if I use a hex editor on the file, I can see a tiny bit more.
Which is not actually part of the database (it doesn't show up
in a dump). It looks like a portion of a sector does not get
overwritten.

1375063129.scorecardresearch.com/U
7d437fd7-184.84.243.11-1375063129.scorecardresearch.com/U
test_cookieCheckForPermission.doubleclick.net/Q

Get yourself a matching copy of sqlite and give it a try.
What you would need to find out, is what version of sqlite
that Firefox is still using. It might be sqlite3, but I can't
be sure. The download here says "3.7.17 and beyond". My copy is
several years old.

http://www.sqlite.org/download.html

HTH,
Paul
 
P

Paul

Peter said:
Thanks, I have downloaded them for a try.
Peter
Flash cookies are stored in a different place. The
word "Macromedia" may be in the path.

C:\Documents and Settings\username\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys

And the Flash control panel, has a delete option. I just
tested it (there were three entries in the folder with "#"
character in their names), and all three were deleted
by the Delete button in the Flash control panel.

Paul
 
Ad

Advertisements

P

Paul in Houston TX

Paul said:
Flash cookies are stored in a different place. The
word "Macromedia" may be in the path.

C:\Documents and Settings\username\Application Data\Macromedia\Flash
Player\macromedia.com\support\flashplayer\sys

And the Flash control panel, has a delete option. I just
tested it (there were three entries in the folder with "#"
character in their names), and all three were deleted
by the Delete button in the Flash control panel.

Paul
Yup. Few people know about Macromedia flash cookies.
They are really insidious; tracking our streamed videos.
 
P

Peter Jason

So you have reached this conclusion, based on the
file size of the Firefox "cookies.sqlite" ?

Or, some software is reading the file for you ?

*******

Mine is 226,304 bytes right now, and it is empty.

If I run the following command in a command prompt window...

sqlite3 cookies.sqlite .dump > cookies.txt

I get this for a result. There is no cookie in here.
A cookie would have an IP address.

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT,
host TEXT, path TEXT,expiry INTEGER,
lastAccessed INTEGER, isSecure INTEGER,
isHttpOnly INTEGER);
COMMIT;

Now, if I use a hex editor on the file, I can see a tiny bit more.
Which is not actually part of the database (it doesn't show up
in a dump). It looks like a portion of a sector does not get
overwritten.

1375063129.scorecardresearch.com/U
7d437fd7-184.84.243.11-1375063129.scorecardresearch.com/U
test_cookieCheckForPermission.doubleclick.net/Q

Get yourself a matching copy of sqlite and give it a try.
What you would need to find out, is what version of sqlite
that Firefox is still using. It might be sqlite3, but I can't
be sure. The download here says "3.7.17 and beyond". My copy is
several years old.

http://www.sqlite.org/download.html

HTH,
Paul

Thanks, I did this and used a Hex editor to delete
the contents. It didn't work though.
 
N

Nil

I found the file & renamed it. But Firefox
generates a new one automatically and then lists
the same cookies. Something is regenerating the
cookie list.
Sounds like you did that while Firefox was still open.
 
N

Nil

Yup. Few people know about Macromedia flash cookies.
They are really insidious; tracking our streamed videos.
Ccleaner has the option to remove Flash cookies.
 
Ad

Advertisements

P

Paul

Peter said:
Thanks, I did this and used a Hex editor to delete
the contents. It didn't work though.
Arrgh!

No, that's not necessary.

Delete the file if you're unhappy with it.

I don't know where the garbage is coming from in the file.
(It's possible when you clear cookies, the file size is
never reduced, and only certain sectors are completely rewritten.)

The sqlite .dump command shows what is "real" in the file.
The parts that don't matter to sqlite, I don't know if they
were already on that disk sector, or whether an uninitialized
buffer in the sqlite driver is doing that.

If you wanted to "cleanse" the file, you could try re-creating
the file, using the output of the .dump. As far as I know,
the stuff in the .dump output, should be the same stuff
needed to re-create the file. I've never had to do that
before, so I don't know the recipe right off hand.

It occurs to me, that maybe what I need, is VACUUM command.

Vacuum is not to be used carelessly.
I've seen claims you need to re-index or something, before
you're done. So it isn't perfectly harmless, when there
are multiple database files.

http://www.sqlite.org/lang_vacuum.html

It would be something along the lines of

sqlite3 cookies.sqlite VACUUM;

As seen here...

http://www.reddit.com/r/linux/comments/7nri6/compact_your_firefox_sqlite_databases_for_f_in/

You play with the databases, only when Firefox is not running.
You'd check Task Manager to make sure. (Because Firefox is not
dead, even if the GUI goes away. Sometimes it is still running,
which is why you check Task Manager before VACUUMing.

And until you can prove what you're doing has no side
effects, keep backups of any important files. For example,
if you're playing with vacuuming places.sqlite, you'd keep a backup
copy handy just in case.

OK, when I VACUUM my cookies.sqlite, it becomes 2048 bytes,
and only the important stuff remains (no more garbage). If I do
a dump again, I get the expected stuff for an "empty cookies".
So it's not damaged (because we expect it to be virtually empty,
and there is nothing to index here).

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, name TEXT, value TEXT,
host TEXT, path TEXT,expiry INTEGER,
lastAccessed INTEGER, isSecure INTEGER,
isHttpOnly INTEGER);
COMMIT;

It might be a different situation, if there were actual cookies in
there, and VACUUMing created an indexing problem. I don't know
anything about databases, and this is just something I read when
researching what happens if you vacuum places.sqlite or equivalent.
In the case of places.sqlite, you're trying to preserve that
one most of the time, so it's important not to damage it.

*******

Firefox Private browsing mode...

http://forum.piriform.com/index.php?showtopic=22704

Near the bottom of that page, it mentions that "sessionstore.js"
can contain cookies. It's possible if you kill Firefox with Task
Manager, cookies could be left in there. And conversely, the
cookies.sqlite gets updated when Firefox exits.

In a test here, sessionstore.js exists if you "kill" Firefox from
Task Manager. Whereas if you shut down Firefox normally, there is
no need to keep track of the session, and sessionstore.js is
deleted. So it's just a way of allowing you to recover a session
if Firefox exits abnormally. So I don't see that as being an issue,
unless you go around "hammering" Firefox a lot just for fun. When
I looked in my sessionstore, I didn't see a cookie, but plenty of
URLs were in there anyway. So it does keep some information. But
on a normal termination of Firefox, that file is gone.

Paul
 
V

VanguardLH

Peter said:
Win7 SPi Firefox 22

I have turned off the cookies in Firefox, but when I run CCleaner
the same set always appears on its result screen. ...
The cookies always appear only when I start up Firefox.
Not a Windows 7 issue. A Firefox issue. The Firefox newsgroup is
over at:

mozilla.support.firefox
(on Mozilla's NNTP server: news.mozilla.org)

You sure you didn't install some extensions that themselves create
cookies. It's been awhile but I remember some users noting some
extension create their own cookies. You would have to uninstall those
extensions or always run Firefox in its safe mode.

For example, the TabMix extension for Firefox stores its own session
information in cookies that it creates. You need to review what
extensions you installed and educate yourself on their behavior(s).
Another source for saving cookies is Firefox's own session manager.
You would have to disable the built-in session restore but then you
won't have crash recovery. For these extensions or Firefox, just
where are they supposed to store the session data when Firefox is not
running or when it crashes? If that info weren't in cookies then it
would just be in some other handy file that survives between Firefox
sessions.
 
J

Johnny

Yup. Few people know about Macromedia flash cookies.
They are really insidious; tracking our streamed videos.
I stopped using Flash because of the hidden persistent cookies, and
because a lot of websites are using HTML5 Video, but now it looks like
an even worse tracking cookie is available. The Forever Cookie.

This is from an article I was reading that some people might find
interesting:


From Wikipedia:

An Evercookie is not merely difficult to delete. It actively “resists”
deletion by copying itself in different forms on the user’s machine and
resurrecting itself if it notices that some of the copies are missing or
expired. Specifically, when creating a new cookie, Evercookie uses the
following storage mechanisms when available:

Standard HTTP cookies
Local Shared Objects (Flash cookies)
Silverlight Isolated Storage
Storing cookies in RGB values of auto-generated, force-cached PNGs
using HTML5 Canvas tag to read pixels (cookies) back out
Storing cookies in Web history
Storing cookies in HTTP ETags
Storing cookies in Web cache
window.name caching
Internet Explorer userData storage
HTML5 Session Storage
HTML5 Local Storage
HTML5 Global Storage
HTML5 Database Storage via SQLite

Hold on – there’s more:

The developer is looking to add the following features:

Caching in HTTP Authentication
Using Java to produce a unique key based on NIC information.

We’re not quite finished.

https://billmullins.wordpress.com/2012/07/12/open-source-bleachbit-0-9-3-deletes-html5-cookies/
 
P

Paul

Johnny said:
I stopped using Flash because of the hidden persistent cookies, and
because a lot of websites are using HTML5 Video, but now it looks like
an even worse tracking cookie is available. The Forever Cookie.

This is from an article I was reading that some people might find
interesting:


From Wikipedia:

An Evercookie is not merely difficult to delete. It actively “resists”
deletion by copying itself in different forms on the user’s machine and
resurrecting itself if it notices that some of the copies are missing or
expired. Specifically, when creating a new cookie, Evercookie uses the
following storage mechanisms when available:

Standard HTTP cookies
Local Shared Objects (Flash cookies)
Silverlight Isolated Storage
Storing cookies in RGB values of auto-generated, force-cached PNGs
using HTML5 Canvas tag to read pixels (cookies) back out
Storing cookies in Web history
Storing cookies in HTTP ETags
Storing cookies in Web cache
window.name caching
Internet Explorer userData storage
HTML5 Session Storage
HTML5 Local Storage
HTML5 Global Storage
HTML5 Database Storage via SQLite

Hold on – there’s more:

The developer is looking to add the following features:

Caching in HTTP Authentication
Using Java to produce a unique key based on NIC information.

We’re not quite finished.

https://billmullins.wordpress.com/2012/07/12/open-source-bleachbit-0-9-3-deletes-html5-cookies/
Good catch. What a nightmare.

At the end of this Arstechnica article, they mention a
"Nevercookie" addon.

http://arstechnica.com/security/2010/10/it-is-possible-to-kill-the-evercookie/?comments=1&start=40

Further info on Nevercookie. I hope the only source isn't
the Anonymizer site. I prefer Addons to be vetted at least
a little bit.

http://www.securityweek.com/nevercookie-eats-evercookie-new-firefox-plugin

All I can find on the anonymizer.com site is advertising. So
I guess it was just a bait and switch.

*******

If I saw evidence of that kind of tracking, I would simply
use Procmon, track all writefile operations, and identify
all the directories attacked in a browsing session. That
would be a start at "leak detection".

The author of Evercookie, has cookie test capability
on his personal web page. You can use this to test
your eradication capabilities. It plants a cookie, then
reads out all the storage methods that worked (for the
browser you chose to test with). Different browsers
may give different results, so you'll need to test
all the browsers you use normally. For example, I clicked
his button, stayed on the page, did a "clear cookies", and
the cookie could still be detected.

http://samy.pl/evercookie/

I sure hope there are some limits on where Javascript
can write. This suggests the browser is bloody porous.
Something I didn't know, would never have suspected.
Waiting for my first .exe to get overwritten...

Paul
 
P

Paul

Paul said:
Good catch. What a nightmare.

At the end of this Arstechnica article, they mention a
"Nevercookie" addon.

http://arstechnica.com/security/2010/10/it-is-possible-to-kill-the-evercookie/?comments=1&start=40


Further info on Nevercookie. I hope the only source isn't
the Anonymizer site. I prefer Addons to be vetted at least
a little bit.

http://www.securityweek.com/nevercookie-eats-evercookie-new-firefox-plugin

All I can find on the anonymizer.com site is advertising. So
I guess it was just a bait and switch.

*******

If I saw evidence of that kind of tracking, I would simply
use Procmon, track all writefile operations, and identify
all the directories attacked in a browsing session. That
would be a start at "leak detection".

The author of Evercookie, has cookie test capability
on his personal web page. You can use this to test
your eradication capabilities. It plants a cookie, then
reads out all the storage methods that worked (for the
browser you chose to test with). Different browsers
may give different results, so you'll need to test
all the browsers you use normally. For example, I clicked
his button, stayed on the page, did a "clear cookies", and
the cookie could still be detected.

http://samy.pl/evercookie/

I sure hope there are some limits on where Javascript
can write. This suggests the browser is bloody porous.
Something I didn't know, would never have suspected.
Waiting for my first .exe to get overwritten...

Paul
There is a press release for Nevercookie here. Still no download.

https://www.anonymizer.com/company/pressroom/archive/pr-20101110/

The download button at the top here, gives a "certificate problem".

http://www.pcworld.com/article/232424/anonymizer_nevercookie.html

( http://www.nevercookie.anonymizer.com/ <--- didn't work for me )

The picture contains a hint as to the extent of its capabilities.

http://zapp3.staticworld.net/downloads/graphics/screenshots/169130f.jpg

Tick boxes:
Enable LSO Quarantine for Private Browsing
(Adobe Flash Player LSO storage is mentioned)
Enable MIS Quarantine for Private Browsing
(That one is for Silverlight)

You wouldn't expect a plugin from 2011, to know much
about HTML5. So I suppose you have to pay for their
product, to get something decent.

What a pain in the ass...

Paul
 
Ad

Advertisements

J

Johnny

Good catch. What a nightmare.

At the end of this Arstechnica article, they mention a
"Nevercookie" addon.

http://arstechnica.com/security/2010/10/it-is-possible-to-kill-the-evercookie/?comments=1&start=40


Further info on Nevercookie. I hope the only source isn't
the Anonymizer site. I prefer Addons to be vetted at least
a little bit.

http://www.securityweek.com/nevercookie-eats-evercookie-new-firefox-plugin

All I can find on the anonymizer.com site is advertising. So
I guess it was just a bait and switch.

*******

If I saw evidence of that kind of tracking, I would simply
use Procmon, track all writefile operations, and identify
all the directories attacked in a browsing session. That
would be a start at "leak detection".

The author of Evercookie, has cookie test capability
on his personal web page. You can use this to test
your eradication capabilities. It plants a cookie, then
reads out all the storage methods that worked (for the
browser you chose to test with). Different browsers
may give different results, so you'll need to test
all the browsers you use normally. For example, I clicked
his button, stayed on the page, did a "clear cookies", and
the cookie could still be detected.

http://samy.pl/evercookie/

I sure hope there are some limits on where Javascript
can write. This suggests the browser is bloody porous.
Something I didn't know, would never have suspected.
Waiting for my first .exe to get overwritten...

Paul
Hopefully Mozilla won't like their browser used this way and will
provide protection from the cookies.

I understand that these cookies can also be shared between browsers on
the same computer.

I don't consider this tracking, to me, it's hacking someone's computer.
 
P

Paul

Paul said:
How interesting!
Thanks for the head's up.
Bleachbit uses XML files for control, with lines like this.
It's multi-platform, so path names for more than one platform
are present in the XML. There are 76 XML files in the Cleaners
folder.

<action command="delete" search="walk.files" path="$localappdata\Mozilla\Profiles\default\Cache\"/>

And for some reason, I don't see a firefox.xml, just a seamonkey.xml.

Also, doing a text search on the source, I'm not seeing how they
access sqlite to do a VACUUM. There is a claim they do a VACUUM to
clean up unused space in .sglite files.

So the source package is a bit weird looking. Not
the evidence I was looking for. Why no Firefox.xml in there ?
Where does the sqlite3 file come from ?

Their builder script, also looks to pack (UPX) the Windows
version. Which isn't that reassuring for guys like me.
I don't have a good set of tools for UPX. I like to
inspect things when I download them. I can always toss
the thing into virustotal.com, but of course the people sourcing
the package can also do that.

When you click the "BleachBit portable (official)" link here...

http://bleachbit.sourceforge.net/download/windows

my downloader dialog says it comes from here.

http://katana.oooninja.com/bleachbit/sf/BleachBit-0.9.6-portable.zip

So you should be aware it hasn't been scanned by sourceforge. It's
an offsite link. Gets 3 hits out of 45. Could be related to packing,
but who knows...

https://www.virustotal.com/en/file/c0bc9d937d1a5c46a8d5a54c26a6f7d4a852463f96f77d0f09052fea8dfeedbd/analysis/

The complexion of the package is quite different in the ZIP.
It has an sqlite3.dll, so that answers the question how it
can VACUUM an .sqlite file.

Paul
 
Ad

Advertisements

J

John

Not a Windows 7 issue. A Firefox issue. The Firefox newsgroup is
over at:

mozilla.support.firefox
(on Mozilla's NNTP server: news.mozilla.org)

You sure you didn't install some extensions that themselves create
cookies. It's been awhile but I remember some users noting some
extension create their own cookies. You would have to uninstall those
extensions or always run Firefox in its safe mode.

For example, the TabMix extension for Firefox stores its own session
information in cookies that it creates. You need to review what
extensions you installed and educate yourself on their behavior(s).
Another source for saving cookies is Firefox's own session manager.
You would have to disable the built-in session restore but then you
won't have crash recovery. For these extensions or Firefox, just
where are they supposed to store the session data when Firefox is not
running or when it crashes? If that info weren't in cookies then it
would just be in some other handy file that survives between Firefox
sessions.
"DoNotTrackMe", and maybe other anti-tracking stuff, stores cookies
telling sites not to track the Firefox session. These cookies are
restored every time you delete them unless you bin DNT first.
J.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top