Risk
8/19/2011
12:49 PM
50%
50%

Microsoft Disables Supercookies On MSN

The online user tracking technique is drawing fire, and numerous businesses are stepping away from the firms that practice it.

Slideshow: 7 Biggest Microsoft Flops
(click image for larger view and for full slideshow)
Slideshow: 7 Biggest Microsoft Flops
(click image for larger view and for full slideshow)
Microsoft has eliminated controversial "supercookies" that were present on MSN.com, in response to research that detailed the user-tracking technique.

Unlike regular cookies, or even newer Flash cookies, the latest generation of tracking technologies can't be disabled by browser users, even with privacy add-ons. That revelation surfaced late last month, in two separate research papers.

The first paper, "Tracking the Trackers: Microsoft Advertising (cache and ETag supercookies)," written by Stanford University graduate student Jonathan R. Mayer, highlighted new, persistent-cookie techniques being used by Microsoft on its MSN.com site.

In response to that paper, released in July, Microsoft on Thursday disclosed that it had immediately investigated Mayer's assertions, identified the code in question, and disabled it. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs at Microsoft, in a blog post.

"We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft," he said. "We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such 'supercookie' mechanisms."

Interestingly, the use of ETag supercookies that Mayer discovered wasn't limited to Microsoft. In fact, a separate group of researchers found similar techniques at use in a wide range of websites, as detailed in their paper, "Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning," released late last month.

That report's co-author, Ashkan Soltani, an independent privacy researcher, said in a blog post that the team discovered the new tracking techniques when recreating their 2009 study, "which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed 'respawning')." The technique is often used by online advertisers and their affiliates to track online behavior.

In the course of the new research, the team identified 5,600 HTTP cookies used on popular sites, 88% of them from third parties. Google-run cookies were present on 97 of the top 100 websites--including government websites--and Flash cookies were also present on 37 of the top 100 websites. In addition, 17 sites used HTML5, with seven also used "HTML5 local storage and HTTP cookies with matching values," said Soltani.

In addition, "we found two sites that were respawning cookies, including one site--hulu.com--where both Flash and cache cookies were employed to make identifiers more persistent," he said. "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and 'Private Browsing Mode' is enabled."

Exactly what are ETags? According to the report, "ETags are tokens presented by a user's browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their 'km_ai' user cookies."

Wired first reported those findings, which led television streaming website Hulu.com to sever ties with one of the supercookie-using tracking firms detailed in the report, startup KISSmetrics. Spotify also suspended its relationship with the company, pending an investigation.

In a blog post, Hiten Shah, CEO of KISSmetrics, slammed the report for inaccuracies, arguing that it "significantly distorts our technology and business practices." Namely, he said, while his company employs a unique identifier for every person it tracks, even across websites, "internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customer's data in a completely separate database."

According to Shah, the same day the report was released, the first of two related lawsuits were filed against his company.

Hulu's move to sever ties over controversial marketing practices isn't surprising, considering it had been named in a previous class action lawsuit that resulted from Soltani's original respawning study, released in 2009. The result of that lawsuit was a $2.4 million settlement in December 2010, and a promise by Clearspring and Quantcast to discontinue using the technology.

Meanwhile, other defendants in the suit--ABC, ESPN, Hulu, JibJab Media, MTV Networks, NBC Universal, and Scribd--agreed to warn user if Flash was being used to track them, and to detail in their website privacy policies how to block the practice.

How can users stop supercookies? While do not track capabilities in browsers have attracted much attention lately as a way to block persistent tracking, supercookies can't currently be stopped from within the browser. Accordingly, blocking supercookies might require some type of privacy legislation that compels U.S. businesses to respect users' "do not track" intentions, as well as to disclose their tracking techniques.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.