Skip to content

What Are Local Shared Objects? (aka Flash Cookies)

Osman Husain 2/13/24 1:29 PM

Table of Contents

You don’t hear about them much anymore, but “local shared objects”---also known as “Flash cookies”---were, at one time, a hot topic in both the web development and the security and privacy communities.

A local shared object is a small text file that websites with Adobe Flash content can use to store data on the user’s local computer. These files store information such as the user’s Adobe Flash Player volume preferences and data from Flash games. Because their purpose is similar to that of traditional website cookies, they are commonly known by the unofficial nickname “Flash cookies.”

Flash cookies differ from traditional cookies in several important respects:

  • Unlike web cookies, which are stored in a folder specific to the browser, Flash cookies are stored in a separate directory accessible to all browsers on that computer.
  • Flash cookies are not governed by the same browser cookie permissions as web cookies.
  • Clearing your web cookies may leave Flash cookies untouched.

 

Flash Cookie Privacy Concerns

Because Flash cookies are persistent (they survive attempts to clear cookies), are accessible by multiple browsers on the same computer, and can store any kind of data, some crafty web developers have used Flash cookies to bypass the user’s cookie preferences and track the user’s web activity, or use them as hidden backups to restore deleted web tracking cookies.

An additional issue is that although Adobe did provide some privacy settings in its Flash Player regarding local shared objects, few users knew about these settings or how to change them.

At first, there was no way to restrict or delete Flash cookies in the browser (as opposed to using Flash Player settings), although Adobe eventually did provide an API for this purpose that many browser manufacturers adopted.

 

The Good News

The good news is that Adobe deprecated Flash Player in 2020, ending support for and development on the platform and stopping any further development or distribution of security patches. Most browser manufacturers followed up by blocking Flash content in their newer versions.

Only older versions of these browsers and the Flash Player itself can still render Flash content. However, few websites include Flash content anymore because mainstream browsers block it, so the privacy threat of Flash cookies has diminished over the last few years. Developers now largely use the more robust HTML 5, with its built-in security features, to present animations, games, and other Flash-like interactivity.

Still, it’s helpful to know what local shared objects were. The security and privacy concerns around them serve as a good example of how innocent (and useful) software features can be exploited for nefarious purposes.

Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.