Beware the Evercookie: An HTML5 Loophole to Steal Your Privacy

HTML5 may be the future of advanced websites, and one step toward the demise of Adobe’s Flash tech, but that doesn’t mean it’s 100% wonderful. Now a virus coder has shown HTML5 may have huge privacy loopholes.



HTML5 may be the future of advanced websites, and one step toward the demise of Adobe’s Flash tech, but that doesn’t mean it’s 100% wonderful. Now a coder has shown HTML5 may have huge privacy-exposing issues.

Samy Kamkar, known for the “Samy Worm” virus which successfully crashed MySpace’s website in 2005, is behind the new worries about HMTL5. He’s crafted what he calls an Evercookie that worms its way into far corners of your PC and quietly gathers information about your Web habits. Cookies are a well-known and perfectly legitimate way of collecting information about you–in current Web systems they’re a tool for marketers to deliver relevant adverts to you, and a place for websites that require a login or involve some kind of personal profile to keep your data handily stored.

Kamkar has been promoting the Evercookie as something rather more sinister, however. To start with, it’s wickedly difficult to remove from your machine–it stores its data in over 10 places dotted throughout a computer, far more than normal cookies, so that merely locating and then emptying your “cookies” folder in your browser isn’t enough to kill it off.

But what is it? It’s an advanced surveillance tool, masquerading as a benign bit of Web technology, that records what websites you visit, and what sort of data you upload to them. Kamkar notes his intentions are thoroughly altruistic, to expose the potential flaws in HTML5, and he’s made his code openly available. Of course the code could be modified to carry out far more malicious Net crimes, like monitoring your activity to detect your online activity (shopping carts from digital stores, emails you send and so on), or other more intimate Web habits.

HTML5 is the umbrella phase for the next-gen Web protocols that permit clever website interactivity, including Web video and animations–some thinkers, like Steve Jobs, suggest it could (and possibly should) supersede Adobe’s Flash tech. But Kamkar is concerned a wholesale leap to embrace the new tech could actually put more users private data at risk than existing Web tech can. Because with all the extra powers HTML5 offers to users and Web advertisers (who’ll use its tracking systems for legitimate reasons) comes the risk of misunderstanding its subtleties. As Kamkar notes “I think it’s O.K. for them to say we want to provide better service […] However, I should also be able to opt out because it is my computer.”

Is Kamkar right? His motives may be somewhat mixed, and his concerns may be slightly overblown because literally every exciting new Web development has attracted the attention of malicious types who are keen to get at your data. Adobe’s Flash itself has seen several security flaws that could give easy access to your private information exposed over the years–including a “fake security virus” alert from earlier in the year.


To keep up with this news, follow me, Kit Eaton, on Twitter.

About the author

I'm covering the science/tech/generally-exciting-and-innovative beat for Fast Company. Follow me on Twitter, or Google+ and you'll hear tons of interesting stuff, I promise.