Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Microsoft Disables Supercookies On MSN

The online user tracking technique is drawing fire, and numerous businesses are stepping away from the firms that practice it.

Slideshow: 7 Biggest Microsoft Flops
(click image for larger view and for full slideshow)
Slideshow: 7 Biggest Microsoft Flops
(click image for larger view and for full slideshow)
Microsoft has eliminated controversial "supercookies" that were present on MSN.com, in response to research that detailed the user-tracking technique.

Unlike regular cookies, or even newer Flash cookies, the latest generation of tracking technologies can't be disabled by browser users, even with privacy add-ons. That revelation surfaced late last month, in two separate research papers.

The first paper, "Tracking the Trackers: Microsoft Advertising (cache and ETag supercookies)," written by Stanford University graduate student Jonathan R. Mayer, highlighted new, persistent-cookie techniques being used by Microsoft on its MSN.com site.

In response to that paper, released in July, Microsoft on Thursday disclosed that it had immediately investigated Mayer's assertions, identified the code in question, and disabled it. "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs at Microsoft, in a blog post.

"We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft," he said. "We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such 'supercookie' mechanisms."

Interestingly, the use of ETag supercookies that Mayer discovered wasn't limited to Microsoft. In fact, a separate group of researchers found similar techniques at use in a wide range of websites, as detailed in their paper, "Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning," released late last month.

That report's co-author, Ashkan Soltani, an independent privacy researcher, said in a blog post that the team discovered the new tracking techniques when recreating their 2009 study, "which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed 'respawning')." The technique is often used by online advertisers and their affiliates to track online behavior.

In the course of the new research, the team identified 5,600 HTTP cookies used on popular sites, 88% of them from third parties. Google-run cookies were present on 97 of the top 100 websites--including government websites--and Flash cookies were also present on 37 of the top 100 websites. In addition, 17 sites used HTML5, with seven also used "HTML5 local storage and HTTP cookies with matching values," said Soltani.

In addition, "we found two sites that were respawning cookies, including one site--hulu.com--where both Flash and cache cookies were employed to make identifiers more persistent," he said. "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and 'Private Browsing Mode' is enabled."

Exactly what are ETags? According to the report, "ETags are tokens presented by a user's browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their 'km_ai' user cookies."

Wired first reported those findings, which led television streaming website Hulu.com to sever ties with one of the supercookie-using tracking firms detailed in the report, startup KISSmetrics. Spotify also suspended its relationship with the company, pending an investigation.

In a blog post, Hiten Shah, CEO of KISSmetrics, slammed the report for inaccuracies, arguing that it "significantly distorts our technology and business practices." Namely, he said, while his company employs a unique identifier for every person it tracks, even across websites, "internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customer's data in a completely separate database."

According to Shah, the same day the report was released, the first of two related lawsuits were filed against his company.

Hulu's move to sever ties over controversial marketing practices isn't surprising, considering it had been named in a previous class action lawsuit that resulted from Soltani's original respawning study, released in 2009. The result of that lawsuit was a $2.4 million settlement in December 2010, and a promise by Clearspring and Quantcast to discontinue using the technology.

Meanwhile, other defendants in the suit--ABC, ESPN, Hulu, JibJab Media, MTV Networks, NBC Universal, and Scribd--agreed to warn user if Flash was being used to track them, and to detail in their website privacy policies how to block the practice.

How can users stop supercookies? While do not track capabilities in browsers have attracted much attention lately as a way to block persistent tracking, supercookies can't currently be stopped from within the browser. Accordingly, blocking supercookies might require some type of privacy legislation that compels U.S. businesses to respect users' "do not track" intentions, as well as to disclose their tracking techniques.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...