A Java applet implementing a storage mechanism for Evercookie that uses several methods to store persistent cookie data in a browser.
evercookie-applet was written by Gabriel Bauman and binaries will soon be included in the official Evercookie distribution. You can find out more about Evercookie here.
Evercookie.js injects this applet into the DOM of a page. The applet attempts to use the JNLP PersistenceService to store values for Evercookie. For good measure, it also attempts to use a known exploit for CVE-2013-0422 to escape the applet sandbox and write a file to the user's hard drive containing cookie data.
The PersistenceService method is entirely legitimate and uses official Java APIs. The exploit method uses an exploit that is publicly known and has been patched by Oracle, but it will still work against anyone who hasn't updated their Java plugin.
Because it's possible, and it shouldn't be. Evercookie already demonstrates how hard it is to avoid being tracked as you browse the net. This code extends its capabilities just a little further.
To protect yourself from this applet, simply keep your Java installation up to date and don't blindly click "Run" when presented with a Java security warning as you browse the net.
Be warned, though - any Java applet can do what this one does. A game, an FTP client - all of these can store information on your machine that can later be used to identify you. Paranoid? Remove the Java plugin entirely.
One of Evercookie's other methods will probably still work against you, though.
Fork it on GitHub or Bitbucket.
I accept pull requests that make sense and aren't destructive or overly malicious.
- Check out the source code on your computer.
- Install the Oracle JDK and the Apache Maven build system.
- Open pom.xml and edit java.home property. Make it point at your JDK.
- Open a terminal or command window and cd to the source code you checked out.
- type "mvn package" and press Enter.
- The jar, jnlp, and test HTML file will be built in the "target" directory
Have fun!