Skip to content

OPLIN 4Cast #246: Zombie cookies

Posted in 4cast

Internet websites routinely use browser “cookies,” small files that collect and store data about website visitors and their activities. Cookies are necessary for a smooth Internet user experience; otherwise, for example, you’d be constantly entering and re-entering your username and password on limited-access sites. But cookies are designed to have a set “time-to-live” after which they go away, or the user is also supposed to be able to block or kill them. Companies that collect Internet usage data for marketing purposes, however, don’t want their cookies to die, so they might take the sneaky step of creating user cookies that cannot be killed: zombie cookies, also known as evercookies or supercookies. Some very big companies use them, which makes privacy advocates concerned and angry.

  • Super cookies, ever cookies, zombie cookies, oh my! (Ensighten blog/Josh Goodwin)  “The internet, as we noted earlier, was designed to allow for a very narrow allowance of data storage and retrieval on end-user systems. As companies build value around data collection, the motivation to break out of that narrow privacy oriented data protection scheme has also grown. The company that provides website owners with the most relevant and accurate information about how users interact with the website owner’s site has an advantage over other companies looking to do the same thing.”
  • Supercookies: what you need to know about the web’s latest tracking device (Mashable/Christian Olsen)  “The kind of data supercookies track isn’t typical cookie material. A browser limits the typical cookie to be written, read and ultimately removed by the site that created it. The supercookie, on the other hand, operates outside of established safeguards. It can track and record user behavior across multiple sites. While it’s easy to understand that a site would want to track a user’s activity while she navigates its turf, it’s ethically questionable that site operators are able to record a user’s actions beyond site parameters.”
  • Attack of the zombie cookies (Techcitement*/Tom Wyrick)  “This time, both a cache-based cookie and a more advanced ‘supercookie’ are used to survive users’ attempts to block or delete them. Microsoft implements both methods by use of a script called wlHelper.js, which they store along with a cookie in the browser cache. If a user deletes the cookie but doesn’t empty the browser cache, the script recreates the deleted cookie. The second approach, termed ETags, saves a bogus version number in the browser cache. In the event the cookie is erased, wlHelper.js retrieves it from the bogus version number.”
  • ‘Zombie cookies’ won’t die: Microsoft admits use, HTML5 looms as new vector (InfoWorld/Woody Leonhard)  “Perhaps even scarier, as HTML5 gains traction: Its local storage is a great feature, but one wide open for abuse for such items as zombie cookies. And Internet Explorer’s InPrivate Browsing, Firefox’s Private Browsing, and Chrome’s Incognito browsing modes won’t protect you from the ETag form of zombie cookies or from HTML5-based zombies.”

Anniversary fact:
The evercookie code was released as open source software on September 13, 2010 by Samy Kamkar, who also created the worm that disabled the MySpace website in 2005.