Home

Awesome

Build Status

Java Applet Persistence for Evercookie

What's this?

A Java applet implementing a storage mechanism for Evercookie that uses several methods to store persistent cookie data in a browser.

evercookie-applet was written by Gabriel Bauman and binaries will soon be included in the official Evercookie distribution. You can find out more about Evercookie here.

How does it work?

Evercookie.js injects this applet into the DOM of a page. The applet attempts to use the JNLP PersistenceService to store values for Evercookie. For good measure, it also attempts to use a known exploit for CVE-2013-0422 to escape the applet sandbox and write a file to the user's hard drive containing cookie data.

The PersistenceService method is entirely legitimate and uses official Java APIs. The exploit method uses an exploit that is publicly known and has been patched by Oracle, but it will still work against anyone who hasn't updated their Java plugin.

Why would you write this?

Because it's possible, and it shouldn't be. Evercookie already demonstrates how hard it is to avoid being tracked as you browse the net. This code extends its capabilities just a little further.

How can I protect myself?

To protect yourself from this applet, simply keep your Java installation up to date and don't blindly click "Run" when presented with a Java security warning as you browse the net.

Be warned, though - any Java applet can do what this one does. A game, an FTP client - all of these can store information on your machine that can later be used to identify you. Paranoid? Remove the Java plugin entirely.

One of Evercookie's other methods will probably still work against you, though.

I know applets, how can I contribute?

Fork it on GitHub or Bitbucket.

I accept pull requests that make sense and aren't destructive or overly malicious.

How to build evercookie-applet

Have fun!