Adobe Flash, The Spy in Your Computer – Part 1

Adobe Flash is, in my opinion, the most ubiquitous spyware in the world and no products detect it as such. The reason it goes undetected is that it also has numerous legitimate uses, however, there is growing evidence that indicates significant abuse. This will be the first in a series of blogs in which I will try to help you understand the threats and help you get a handle on the beast that is Flash.

If you have Adobe Flash on your computer, and most of you do, you are probably being spied on and Adobe does their best not to let you know or do anything about it. Fundamentally, rich video content is only the drug Adobe wants you to get hooked on, but make no mistake, one of the main purposes of Flash is apparently to secretly compromise your privacy. Flash cookies allow online advertising networks to covertly and uniquely track your internet use. This is not only a PC problem, but affects Linux, Mac, and mobile devices that support Flash. Flash cookies provide advertising networks with much better tracking than normal cookies do. Because a Flash cookie can effectively identify you (or your computer) uniquely it becomes very easy for internet ad agencies to profile you specifically.

Perhaps the only thing that Flash threatens more than your privacy is your security. Flash has been riddled with exploitable vulnerabilities. I want to help you get better control of your security and privacy, so this first blog will focus on the basics of getting you up to date and teaching you some Flash configuration. Start by making sure that you have the most current version of Flash by going to http://www.adobe.com/products/flash/about. The page will tell you the version of Flash you have installed and the current version for some operating systems, but not for Android phones. Remember, if you use multiple browsers you need to check Flash in each browser to make sure that it is current. Updating Flash in Firefox does not update Flash in Internet Explorer.

The next step is configuring the Flash player. In the next blog I’ll give an alternate means of configuring Flash, but let’s start with the “normal” way of configuring Flash. There should be a tool on your computer to configure Flash, but Adobe doesn’t work that smart. You need to go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html in order to configure the Flash Player. This happens to be a fairly unintuitive site designed to discourage users from configuring Flash, but I’ll help explain how it works. When you land on the web page and have Flash installed, you will see the following screen.

This actually is not simply text, this is the tool you need to use to configure Flash player. Note that this is not going to be enough to prevent Flash enabled websites from spying on you, but it is a start. Each of the links on the left under the words “Settings Manager” is an active link that controls Flash. I’ll explain a bit about each of the screens you see when you use the Flash Player Settings Manager tool. The first screen is the “Global Privacy Settings panel” which you see below.


 
Use of the global privacy settings panel does nothing at all to stop sleazy online ad agencies and other scum from using flash to track you individually. This is actually not a global privacy setting at all, it is simply a control for your webcam and microphone. By default if a Flash application wants to use your camera or microphone it has to ask, but you can choose to always deny the request. The proper setting for this panel is whatever you want. This isn’t about privacy at all, this is simply do you want to the choice to share your webcam or do you want to make sure it is never used and you are not asked. Calling this the “Global Privacy Settings panel” is an example of the devious and deceptive nature of Adobe.

The Global Storage Settings panel has more to do with privacy than the webcam. This is also an example of how confusing Adobe tries to make Flash to understand. An LSO is a local shared object and this panel controls LSOs, but rather than tell you that you are allocating SHARED space, Adobe calls it STORAGE. An LSO can contain a lot of data. If you set the storage to zero you might break some sites, but you limit how much data can be stored on your computer. I set mine to zero because Flash is simply too dangerous and deceptive to trust with storage on a global basis. I chose not to allow third-party Flash content because I do not wish to have unknown third-parties spying on me. Disallowing third-party flash breaks the Disney site, but then Disney is being sued for allegedly abusing Flash LSOs to illegally spy on people. Breaking the Disney website is probably a very good thing. I can live with it. This actually breaks a lot of embedded Flash movies, but if more people complain that third party flash videos are not showing, maybe Adobe will redesign Flash to respect privacy.  The option to store common Flash components to reduce download times is something else I disable. My reason for disabling local storage is that I expect this “feature” to be exploited at some point in time. I suspect that there are or will be attacks that will take advantage of stored content.
 

The Global Security Settings panel shows how little security Flash actually has. Global security for Flash controls one thing – whether or not older, even more poorly designed Flash components can gain unauthorized access to your data. I set mine to always ask because I want to know when I come across such a site, but then I also know that the correct answer is to deny access. For most people I recommend selecting “Always deny”.


 

The Global Notifications panel is used to show how bad Adobe is at effective communications. When a site wants to access your webcam and you have the control set to ask, you get notified. When a third party site wants insecure access to your data and you have Flash configured to ask, then you are notified of the request, but that isn’t what this panel is about. This is how you set the interval for how often Flash checks for updates! This really should be called the Update Settings panel, but perhaps Adobe thinks it may one day be used for other things too. The default setting is probably good. If you want to check more frequently I’ll tell you how in a future blog.


 
The Website Privacy Settings panel is similar to the Global privacy Settings, except it allows you to control the behavior of web sites after you have visited them. If you visited a web site that uses Flash, it will be listed here. From this panel you can choose to always allow the site to access your webcam, always deny access to it, or leave the default of ask permission each time. The panel would be far more useful if you could add websites without having to visit them, but that functionality doesn’t help Flash to spy on you, so don’t look for the functionality anytime soon.

The Website Storage Settings panel is similar to the Global Storage Settings panel, except that it is used AFTER Adobe let a website spy on you. When you visit Flash enabled website they will show up in the box at the bottom of the panel and then you can select each website and adjust how much local storage (shared objects) you want to let the website have on your hard drive. Once again due to a design that favors privacy compromise over user choice, you can’t add websites first and assign settings, you have to browse to the website first and use your default settings. After visiting the website then you must return to the Flash settings manager

The Peer-Assisted Networking panel lets you prevent Flash from sharing your internet connection. There may be no security or privacy risk at all, but I really can’t say authoritatively that there is no risk. There is probably no benefit that makes it worth taking the chance. Choose the check box titled “Disable P2P uplink for all" and don’t look back.

The Protected Content Playback Settings panel is generally of no significance to anyone. Most companies realize the DRM (Digital Rights Management) was almost as successful as the war on drugs. A few people out there may have files that are protected and when some obscure problem crops up, after hours on the phone with technical support you may be asked to reset the license files, otherwise you can pretty safely ignore this panel.

One of the other ways to configure flash is to right click on a flash animation on a web page. The problem is that you have to know that it is a Flash file and not an animated GIF or other graphic, then after some spying has been done you can say stop.
 

If you choose “Settings” you get to disable or enable hardware acceleration. If you choose Global Settings then is takes you to the Flash Settings Manager panel which we have just gone over.

Next blog I’ll show you another way to configure Flash. A way that you can block virtually all LSOs, truly control Flash, and probably not get to see many Flash animations at all.

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • RichieB

    Thanks a lot for this informative article. All the links to the screenshots are to the https version of your blog. This uses a self-signed SSL certificate, and the images might not appear if a browser or proxy is configured to deny access to sites with an untrusted certificate. Please change the links to use http instead.

    • Randy Abrams

      Thanks Richie. We made some changes and I didn’t realize the pics would default to https. I have fixed the links. BTW, when you enter an email address to post a comment, it is not passed on to marketing or used for anything other than the occasional time when one of the bloggers might wish to make a personal reply.

  • landloper

    Thank you very much for this manual. I am using firefox flashblock and only activate flash on a few favourite sites. But I think your advice will still help me to retrieve my privacy. I am looking forward for your next blog.

    Thanks, landloper

    • Randy Abrams

      Ahhh, Firefox and Chrome add-ons come next :)

      Unfortunately, you can’t retrieve your privacy, but you can take steps to prevent further abuses.

  • tjessy

    I think in 2010 even without Flash your privacy could be compromised… just think of Google or any other search engine, facebook and the other thousands of social-networking sites / programs. In my opinion somehow it became "natural" that the ads I see during browsing are somehow "relevant" to me. They track the user's habits to develop their services… is that such a huge problem? I don't think so…
    Cheers,
    J

    • Randy Abrams

      They also in some cases write normal cookies back after the user deleted them. Just becasue there are other ways in which your privacy can be compromised it doesn’t make the behavior of Flash right.

  • rochelle

    hi,
    i thanks for the blog.ive came across your blog bec i think someone's been accessing my cam wihtout me knowing it. bec i only open my cam to my sister this morning but a crazy guy that i deny to talk to in ym just sent pictures of me from my webcam same time as i am talking to my sister…didnt know how he did it bec my cam only shows 1 viewer..
    i also learned to deny sharing my bandwith?my computer seemed to work too slow ,and i think my ISP provider shares bandwith with different users bec a tech support once slipped and said that the line or something like that is like shared with a computer shop thats why its so slow during the day.
    nways..thank you so much for the bog..keep it up :)

  • Adobe & Google Sux

    Hi Randy! Thanks for Exposing them Spyin' Scum Bags! I just wanted to give u the "Heads Up" that EVERY time that I use the Global or the Website Privacy Settings (in YouTube) & I block them from spyin' on BOTH, within a couple minutes, they RE-SET THEMSELVES to Settings where they can spy again! HELL YEAH! It's unbelievable, but TRUE! There is this website: s.ytimg.com that ALWAYS wants to spy through ur Camera & mic & ACTUALLY non-stop get it activated again over & over! I was UTube once & the box came up askin' if I would "ALLOW s.ytimg.com to access my camera & mic" & I put "no" of course, but then I would check that box peridically & it would be re-set again to allow them! I searched: s.ytimg.com on the net and it said that it is a spyin' & trackin' company! Then I investigated more & found out that they are a partner of YouTube!!! So YouTube has this site spyin' on ALL YouTubers! Also, Adobe Flash Player includes this folder into your hard drive called "Macromedia" that when u open it it is a "shared folder" that is TRACKING everywhere that U go on the Internet & stores even Bank info, if u visit a Bank site!! So I keep deleting it, & within minutes it pops back up AGAIN! Then it also re-sets the Flash player's Global & Website Privacy Settings to "Default" which allows ALL kinds of trackers into ur hard drive! It is Fricken insane! I can't believe the nerve of them A-Holes! Then to top it all off, there isn't a replacement for Adobe Flash Player so they got us by the Balls!  If u check out what I'm tellin' U, maybe u can add it to ur Second Blog.  And of course we ALL know about Google being one of the #1 Spyers on the list! I won't even go there!  Latah!

  • DasFox

    You should tell people about the Better Privacy Firefox addon;

    Or let us know if there is anything else too?

    THANKS

    P.S. Nice blog, so when is someone going to SUE Adobe?

  • DasFox

    THIS does not work if you use the Better Privacy Firefox addon.

    When it deletes the LSO then all the Settings Manager, settings get set back to default.

    SCRATCH this, we need some change of information here….

    THANKS

  • lyecdevf

    I do not trust Adobe at all.  Especially when I read that Adobe reader calls home and connects to Omniture when you open pdf files.  Now if I open any pdf files I do that on my gaming computer that is not connected to the internet.  
    Adobe flash player I have not used in a while now either.  Right now I do not watch any videos online but in the near future I am planing to use a combination of greasmonkey scripts, firefox plugins,…to get those videos and watch them on my embeded video player.
    I have been working lately to make sure that as little information as possible gets of my computer.  I have made my web browser less tracable, I am using linux,…I am even thinking about not using google for searches and all those major e-mail providers.  I just find this idea that there are people trying to sell your personal info to ad companies a tad too much to bear. 

  • truth speaks

    What lyecdevf is trying to say … [rest of post deleted: if you have a quarrel with lyecdevf please take it to a more appropriate forum. We're not going to approve unverified flames and accusations. (DH)]

    • David Harley

      “truth speaks”: your post has had most of its content removed because it contains unverified flaming and accusations not relevant to the blog article. If you have a quarrel with lyecdevf, please take it to a more appropriate forum.

  • Erik

    Just finding out about all this stuff now. I am not a tech guru, but I see that apparently I'll have to become one or I will always be vulnerable.  This info is great.  Adobe is pure scum.  For years I couldn't figure out why it was asking me for updates when I was not connected to the internet.  We need to get together and start a company that focuses on stopping this nonsense. Keep after them Randy.  Never stop.  These companies count on just outlasting everybody because they are so big.  Don't let them do it.
    Erik

  • Gunnar

    Our tech and security division found this article when the officer enter the string "adobe flash is spyware". As an aerospace and defense company (Canadian) very concerned about privacy and keeping our proprietary information on Canadian soil, this news is quite alarming. On a similar vein, one thing that we have done throughout the corporation is to ensure that all employees and associates DO NOT use Google, Yahoo or Bing as their default search engines. They are temporarily going through the search at Rediff.com, but I suspect that search is at least in part powered by the US-based engines and we'll need to check out the technical relationship.
    We are going to file a motion with both the EU privacy commissioner and the domestic (Canadian) counterpart asking for a further investigation into this. At the least, it would be pertinent that public authorities here in Canada and in the EU clearly advise both consumers and local businesses of the risks of using Flash and work to develop an alternativ (or to limit the spying functions). Being mostly on Solaris, we've encouraged employees (who need to watch various training videos and technical lectures) to point their desktop player to the link and download instead. But that doesn't help much, as they still need to use Flash to view them!

  • J. Ambrose Lucero

    I worked at the Terrorist Screening Software Development center of the FBI's TSC, recruited to do the bootstrap documentation systems for their new distributed systems terrorist identity management applications. I documented and illustrated everything from the underlying Extensible Identity Search Architecture to the various identity info search apps that were moving to use EISA. I was completely successful, earned a Service Commendation in 2008. In 2009, however, my MacPro, the only computer not administered or understood by IT, came under attack, killing my productivity. Lots of details go into this, including my discovery of an incursion into the classified net under my log on on my Mac, but pertinent here is the fact that I concluded that the attacks were Flash scripts. I had just taken a course in Flash scripting, so it was obvious to me. Long story short, I was whistle blown out of the contract, and have been attacked over the Internet constantly since. SO THANKS A BILLION FOR YOUR BLOG. Adobe and other big players have been obfuscating their GUIs for years. All that candy is just the icing on the stockholders' cake. J. Ambrose Lucero, 7033311429

  • larry mills

    Helpful. I was able to deny s.yting.com – an Adobe spy on my Windows7.

  • Raymond Gentile

    |I don’t usually interrupt awesome discussions such as this with my own personal issues, but I really need the help of anyone who is happy to lend me a hand. I’m considering using the services of and I was wondering if somebody here has used them previously. I am looking for both the bad and the good areas of their business. Please get back to me as fast as possible for this is vital. I appreciate it.

    • David Harley

      Hello, Mr. Gentile or whatever your real name is. Sadly for you, this blog strips URLs automatically.However, I’d strongly advise that no-one use any service that attempts to publicize itself using comment spam….

  • Frustrated Flash Blocker

    Hey, I've found some kind of Flash object that bypasses Flash Block and could only be spyware.
    I found it because it grabs the focus and the mouse scroll wheel stops working. When I call up task manager I see 3 Flash-related apps under "Processes". There are no videos running and Flashblock is supposedly keeping out the Flash, only it obviously isn't.
    If I go to Firefox Addons and disable Flash myself the task manager stays clean, the browser keeps focus, and the mouse wheel keeps working.
    What's particularly annoying about this focus-grabbing unblockable Flash spyware is that when you click on the webpage to put the focus back so you can scroll with the mouse the new, annoying "invisible button pop-up" kicks in and you get a pop-up ad.
    If Flashblock would just do it's friggin' job I wouldn't have this stupid problem, so what I want you guys to do is raise such a big stink about this unblockable Flash to the Flashblock people that they figure out how this unblockable Flash is triggering and FIND A WAY TO BLOCK IT!
    Thanks for your time.
    -Frustrated Flash-Blocker

  • Frustrated Flash Blocker

    To be clear the mouse wheel doesn't get disabled, it's just the hidden Flash object makes Flash run in Windows, which takes the focus off the browser and forces me to put the focus back on the browser.
    I could do that with Alt-Tab instead of clicking on the browser window and not be forced to endure these new, extremely pernicious pop-up ads that take advantage of users clicking on innocuous-looking objects (or in this case what looks like plain text) in a browser window.
    I am "solving" the problem presently by switching on Flash to view videos then switching it off again to do anything else. I keep a tiny browser window open to "AddOns" so I have quick access to the "Enable / Disable" button.
    If only Flashblock would do its job these invisible focus-grabbing Flash objects wouldn't be a problem …

  • Frustrated Flash Blocker

    Figured it out. Flashblock doesn't stop the Flash application from running whenever Firefox detects a webpage with Flash content.
    Firefox runs the Flash app, the focus briefly goes to the Flash executable, and meanwhile Flashblock blocks the actual Flash content on the web browser. The Flash executable releases the focus which then sits on the Windows desktop, waiting for the user to task-switch back to the web browser.
    What I don't get is why, after the Flash app is running, it needs to take the focus at all whenever a new webpage with Flash content is loaded. The Flash app shouldn't ever need the focus, as its only purpose is to sit in the background and run Flash apps on your web browser.
    Anyway I know these messages were somewhat off-topic so thanks for listening. And thanks for the good advice on protecting myself from runaway Flash spyware. I would never have found this site had Flash not been behaving so badly, so I guess there's a silver lining there, too.

  • Jack R

    This IMMEDIATELY turned off that annoying storage prompt on my YouTube videos. I right clicked and chose Global Settings per your notes – thank you VERY much!

  • Guest

    Thank you for the very useful information. I followed your steps and seem to have got rid of the constant s.ytimg.com pop-ups. I hope…..

    • Stephen Cobb

      Glad we were helpful.

  • lobo

    It was Luck I came across this needed information. I dont like to see those pop up ads plus also hoping They All dont come back. Thank you so much!

  • NansNook

    Thank you VERY much. I am a 50 year old computer challenged lady who is at the mercy of my children for my computer knowledge and settings. I stumbled across your site when attempting to “fix” a Adobe box that was always popping up on my videos. I had no idea what was actually happening when I watched some videos. Your website saved me from future spying. Thanks again from Wasilla, AK.

  • wasfoghat812onyoutube

    google + popped up for me to join so much on youtube and i didn’t know google had bought youtube. i finally became impatient with the popup (exactly what they wanted most likely huh) and joined. now my youtube identity is ruined and i can’t figure out how to delete my google + account. in fact, i did delete it. but it is still there and won’t go away. HELP?

    • http://dharley.wordpress.com/ David Harley

      Sorry, but I’m afraid we’re not best-placed to offer G+ support: Google knows the internals of the service far better than we do…

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

22 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.