How does Yahoo Sign In SEAL work ?

Last month yahoo introduced "Yahoo Sign In SEAL" aimed at preventing the phishing attacks. I have always been extra curious when it comes to security of software and web applications and decided to see how this works. Here is what testing has revealed about the tracking.

Yahoo uses multiple methodologies to achieve the tagging of user system.

1. Simple browser cookie
2. Flash Shared Objects (.sol) Aka. Flash Cookie
3. XML file in Userdata folder.

Interesting part of the findings is how persistent the tagging has been. If you delete one source other one will help yahoo identify the system and recreate the deleted data.

How to delete Yahoo Sign In SEAL tracking completely ?

1. Close Browsers
2. Delete the Cookies from browser (IE : Tools >Internet Options> Delete Cookies , Firefox Ctrl+Shift+Del )
3. Delete Flash Shared Objects from C:\Documents and Settings\{user name}\Application Data\Macromedia\Flash Player\#SharedObjects
4. Delete YL[1].xml. On windows XP you can have it here "C:\Documents and Settings\{user name}\UserData\{random folder like ODFXSDVY} \YL[1].xml

More questions then Answers:

How can a web page store something outside temp folder of browser?
And how is yahoo able to write the XML file to UserData folder?

To best of my knowledge this folder is exclusively used by Window and IE to store system info.

Posted in: How to remove Yahoo Sign In SEAL - prevent phishing,super cookie