Jump to content

Local shared object

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Skrim (talk | contribs) at 07:28, 14 July 2006. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

Local Shared Object (LSO) is a cookie-like data entity used by Adobe Flash Player. The application running in the Flash Player can store and retrieve data, which can consist of basic data types (such as strings or numbers) or more complex objects. The data is serialization to the user's hard disk. The Local Shared Objects are available in Flash Players starting from version 6.

Criticisms

Flash Player uses a sandbox security model, but, contrary to some definitions, the application does not ask the user's permission to store data on his hard disk. This may constitute a collection of cookie-like data that may include not only user-tracking information but any personal data that the user has entered in any Flash-enabled application, whether it be stand-alone or Web-based.

LSOs are usually not temporary files, and there is, deliberately as designed by Macromedia, no obvious control panel to opt out of them; instead, the user who wishes to maintain his privacy must discover on his own their presence, and then find the Macromedia Web-site page ([1] or [2]) whose links activate the Flash MX Player plug-in and then expose the hidden, Flash-based LSO-opt-out "Settings Manager" control panel.

There are already reports of LSO exploitation by advertisers: Flash Player Worries Privacy Advocates (InternetWeek). Most users, including those familiar with Flash who protect themselves from cookies, are unaware of this kind of tracking, which is not curtailed by customary in-browser cookie settings and most cookie-cleaning utilities: Company Bypasses Cookie-Deleting Consumers (InternetWeek).

LSOs are stored in "SOL files" (typically, files with the extension "SOL"). String data, such as one's name, address, or Social Security Number, are stored by default within SOL files as plain ASCII text, which means that the data are insecure and easily read by any application with read access to the files. SOL files may store far more information than the traditional 4K-limited cookie. The default storage limit is 100K per domain, but the user can set it to "unlimited". If the limit is exceeded, the user is shown a dialog requesting more storage.

Tools to read and edit SOL files have emerged. Examples of non-Flash SOL-file editors and toolkits include: SolVE, ASV SOL Viewer and Editor, .SOL Editor, and Dojo JavaScript Toolkit.

Most web browser users do not realize that web pages do not have to offer any visible signs that a Flash application is running and accessing personal information stored in SOL files. It is difficult for the user to detect whether a Flash application is utilizing SOL files.

To this day, there is little public awareness of Adobe/Macromedia's hidden, proprietary-cookie LSOs, and no widespread, well-known utility-suite, anti-spyware, or anti-adware programs that address them. Users who delete traditional cookies with such programs may find those cookies resurrected because of Adobe/Macromedia's LSOs: Tool Can Resurrect Deleted Cookies (Out-Law.com). Since LSOs, unlike traditional cookies, have no expiration dates, the information resurrected in those cookies may persist indefinitely.

The default storage location for LSOs is operating-system dependent. For Windows XP, the location is within each user's Application Data directory, under Macromedia\Flash Player\#SharedObjects. Additional information is available at the Electronic Privacy Information Center's Local Shared Objects — "Flash Cookies" page.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Local_shared_object&oldid=63746106"