ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

What are Supercookies, Flash cookies, Zombie cookies?

After years of awareness-raising campaigns by privacy activists, which culminated this year in the European Union passing a ‘cookie law’ banning any EU company or any company targeting EU citizens from placing ‘non-essential’ cookies on users computers without their consent, most internet users now know about cookies.

Unfortunately, most of what people know about cookies regards HTTP (or ‘normal’) cookies; small text files that are left in your browser’s cookie folder and that, in addition to doing lots of useful things such as remembering your passwords and favorite website preferences, can be used to identify you and track your movements across the World Wide Web.

Understandably concerned about the privacy issues involved, the internet-using public has fought back and taken increasing effective measures to block, delete or control cookies, assisted by the fact most modern browsers have added cookie management and blocking features.

Perhaps unsurprisingly, marketing and analytics companies have looked for ways to circumvent these measures and to continue uniquely identifying and tracking internet users. A primary means of doing this has been through the use of supercookies.

What is a supercookie?

Supercookie is a catch-all term used to refer to bits code left on your computer that performs a similar function to cookies, but which are much more difficult to find and get rid of than regular cookies. The most common type of supercookie is the Flash cookie (also known as an LSO or Local Shared Object), although HTTP ETags and Web Storage also fall under the moniker. In 2009 a survey showed that more than half of all websites used Flash cookies.

The reason that you may never have heard of supercookies, and why they are so hard to find and get rid of, is that their deployment is deliberately sneaky and designed to evade detection and deletion. This means that most people who think they have cleared their computers of tracking objects have likely not.

The EU ‘cookie law’ does encompass supercookies within its generic description, but as the law has been very vaguely worded about what constitutes a ‘bad’ cookie, and has been poorly enforced anyway (not to mention that most sites demand you accept their use of cookies if you wish to continue using them), its effectiveness at curbing supercookie use (or even regular HHTP cookie use other than by raising people's awareness of the issue) has been minimal at best.

Apple’s stand against Flash’s various insecurities however, has helped contribute to  Flash Player’s growing obsolescence, with HTML5 increasingly fulfilling the functions once more commonly performed by Flash. Combined with support for LSA deletion by the major browsers, this has led to a decline in the use of Flash cookies, although they remain a substantial menace to internet users worried about tracking.

Flash Cookies and Zombie Cookies

The most common kind of supercookie is a Flash cookie which uses Adobe’s multimedia Flash plugin to hide cookies on your computer that cannot be accessed or controlled using your browser’s privacy controls (at least traditionally, most major browsers now include deletion of Flash cookies as part of their cookie management).

Because these cookies are stored outside the browser you cannot protect yourself by using a different browser (for example one for your banking website and another for riskier web surfing), as the Flash cookies will be available to all browsers (i.e. a cookie acquired when using Chrome will also be available to websites when using Firefox). In addition to this, Flash cookies can hold up to 100kb rather than just the 4kb held by HTTP cookies.

One of the most notorious (and freaky!) kinds of Flash cookie is the ‘zombie cookie’, a piece of Flash code that will regenerate normal HTTP cookies whenever they are deleted from a browser’ cookie folder.

How to deal with Flash cookies

Change your Flash preferences

This is always worth doing, although some LSOs seem adept at evading the preferences settings.

1. To remove existing site cookies go to the Adobe Website Storage Settings Panel, where will you see a list of Flash cookies on your computer. If you recognize any of the websites in the list and visit them regularly, then you may want to keep their cookies as they can provide useful functionality, but you can delete the others.

flash 1

2. To prevent new sites from writing cookies, go to the Adobe Global Storage Settings Panel (or just click on the Global Storage Settings tab in the Settings Manager), drag the slider to ‘None’, and click ‘Never Ask Again’. Note that doing this may create problems with websites that rely on Flash functionality.

flash 2

Manually delete Flash cookies This is also a good way to check that other methods have worked properly.

  • In Windows open an Explorer window and type ‘%appdata%’ into the search bar. Double-click Macromedia -> Flash Player -> macromedia.com -> support’ -> flashplayer -> sys (we told you they were hidden away!). Any folders you see (which should contain a .sol file, which is the actual cookie) can be deleted.
  • In OSX try going to Users -> username -> Library -> Preferences -> Macromedia -> Flash Player-> and look for any .sol files in the folders
  • In Linux go to home -> username/ .macromedia -> Flash_Player -> macromedia.com -> support -> flashplayer -> sys, or run the command ‘find ~/.macromedia/ -type f -name settings.sol -exec rm -v {} \;

Use CCleaner to automatically delete Flash cookies

CCleaner  is a great tool for clearing the rubbish out of your system, but by default it does not clear out Flash cookies. To set CCleaner to clean Adobe Flash Cookies:

  1. In CCleaner, click the Cleaner icon and then the Applications tab.
  2. Under Multimedia, select Adobe Flash Player.

[Note. As of 2024, this is an old article. Most of the information remains current, but the use of CCleaner is no longer recommended.]

Use a dedicated Flash cookie cleaner utility

Examples include GrekSoft Flash Cookie Remover (Windows) and FlushFlash (Windows and OSX).


flushflash

Flush Flash for Mac

Use Google Chrome or Internet Explorer to delete Flash Cookies

Modern versions of Chrome, Internet Explorer (IE8+), and Firefox work with Flash Player 10.3+ to delete Flash cookies automatically, using the browsers’ built-in Clear History functions. While we applaud this move, which uses the NPAPI ClearSiteData API, it is not perfectly implemented and we and we found LSOs on our system after using it.

Block Flash cookies in Android

Apple led the charge when it came to making a stand against Flash, and iOS users do not have to worry about LSOs, although they do miss out on the functionality provided by Flash. Android 4.1 also dropped support for Flash, although older devices may still have it installed, and those who value the fact that much of the web still relies on Flash can still manually sideload the .apk. If you do have Flash installed, then you will be able to find an icon for ‘Flash Player settings’ in the app drawer. To turn off Flash cookies, go to ‘Local Storage’ and select ‘Never’.

  android

Use browser plugins

A number of browser plugins exist which can block or manage Flash cookies, the best example of which is uBlock Origin. Unfortunately, using these plugins increases the uniqueness of your browser and therefore makes you more vulnerable to Fingerprinting, so we do not recommend them.

Conclusion

Flash cookies are insidious things, but growing general awareness of cookies, decreasing use of Flash, and support from the major browsers for the NPAPI ClearSiteData API, means that their threat has diminished somewhat.

Unfortunately, this also means that in the ongoing arms war waged against the internet-using public by unscrupulous marketing and analytics firms, new techniques are being developed and deployed to identify individuals and track them across the web (and otherwise perform functions similar to traditional cookies).

The most alarming and prevalent of these is browser fingerprinting, which we discuss in detail here, but other forms of supercookie (HTTP ETags and Web Storage) and ‘history stealing’ (also very scary) are also deployed, which we discuss here.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

10 Comments

Sharon Francis
on October 12, 2017
Is this still the correct settings for CCleaner for use with Windows 10?
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Sharon Francis
on October 16, 2017
Hi Sharon, It seems CCleaner has made clearing out flash cookies easier since I wrote this article. Please see here for the current official instructions. Thanks for bringing this issue to my attention, and I will update this article when I have a moment spare.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford
on March 8, 2017
Hi Zoe, What you are describing is not rational, and I'm sorry to say it, but you are expressing symptoms of deep paranoia. If you haven't done it for while, I suggest you go to bed and get some sleep. If this is an ongoing situation, then please (and I mean this sincerely) seek professional help. Peace.
Jacob Stall
on March 6, 2017
Quick question: 2. Then go to ‘Exclude’ and ‘Add’: C:\ -> Users -> User name -> AppData -> Roaming -> Macromedia -> Flash Player -> macromedia.com -> support -> flashplayer -> sys -> settings.sol" Can you please tell me why should we exclude this ? I thought we're supposed to delete this ? Thank you
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Jacob Stall
on March 6, 2017
Hi Jacob, We want to exclude settings.sol because we do not want CCleaner to delete the Flash preferences we just changed in the section above.
Jacob Stall replied to Douglas Crawford
on March 6, 2017
Thank you for your quick reply! I'd like to tell you some details about my problem hoping u may have some solutions. I'm playing on bet365 from a country that the site does not store any cookies (or at least ghostery or adblock does not detect any) yet each time I am using another account (limitations come quick) I get busted. I have used firefox with 'random agent spoofer', disabled webrtc, changed my mac address each time, the IP as well, cookies, and now I also added those flash directories to my ccleaner. Is there anything left that I could try or be aware of? Thank you once again.
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Jacob Stall
on March 6, 2017
Hi Jacob, I assume that you are using a VPN to hide your IP address? Of course, bet356 could then just ban all VPN users (much like Netflix tries to). It is possible that bet365 is using fingerprinting techniques to identify you, in which case the more you modify your browser the more unique your fingerprint will be (random agent spoofer can potentially be useful in this regard, but its effectiveness is debatable).
Annie
on January 13, 2017
Hi Douglas, great article! I was wondering if you clarify something for me. When you say "a piece of Flash code that will regenerate normal HTTP cookies whenever they are deleted from a browser’ cookie folder", what do you mean exactly? That an ID is included in the flash cookie, and the site now can learn what user it is, and give him back some of the old cookies? Or do the flash cookies literally store all the cookie data within them and just re-create them from that? That might be worded poorly, so let me try and give you an example of what I mean.. Youtube used to store a cookie called recently_watched_video_id_list locally. It had the ids of recently watched videos for signed out users (it created that list in the history section) They track that info on servers now, but back then I believe it was just in the cookie for signed out users.. Was it possible that this cookie was being re-created due to zombie cookies? I feel like the answer would be no if that cookie was stored locally. Not to mention people would probably notice if they cleared history and cookies etc and come back the next day to see them back. Just curious what you think about this scenario. Thanks and keep up the great work!
https://cdn.proprivacy.com/storage/images/2024/01/douglas-crawfordpng-avatar_image-small.png
Douglas Crawford replied to Annie
on January 13, 2017
Hi Annie, In most cases the Flash script will simply recreate a basic cookie. This will just have a simple ID number that can be externally tracked (so the Flash script will not recreate all data stored on a deleted cookie). But could it? Probably.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service