Microsoft drops super cookies

Powered by SC Magazine
 

Cookie syncing uncovered.

Microsoft will stop using so-called "supercookies" on its own sites after a discovery by a Stanford University researcher.

Jonathan Mayer said he noticed that a browser cookie that had been cleared was "respawned" on live.com - one of Microsoft's sites.

"We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies," he said in a blog post.

"One of the foundational concepts in web security is the cookie same-origin policy: cookies can only be read and modified by the domain that set them.

"If domains collaborate they can trivially circumvent the same-origin policy and share cookies with each other; this practice is called 'cookie syncing'," he added, explaining that Microsoft was legitimately using such syncing because it has multiple domains.

He said Microsoft was using a cookie called an ETag, which manages caching and can respawn user identification data.

Microsoft suggested it wasn't aware of the use of supercookies, and "promptly investigated".

"We determined that the cookie behaviour he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs, in a post on a Microsoft blog.

"We accelerated this process and quickly disabled this code," he said.

"At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft."

He said Microsoft has no plans to "develop or deploy" more supercookies.

Other complaints

Microsoft didn't address Mayer's other complaints, however. The researcher said the company offered a way to opt out of behavioural advertising, but said the system only stops the ads from being displayed - not the user from being tracked.

"It does not remove its identifier cookies after a user has opted out, nor does it make any promise to stop tracking," he said.

Mayer also noted that the opt-out link was "invisible" for Chrome and Safari users, a problem the company has since rectified, he said.

"It is increasingly difficult to accept industry claims that recent negative discoveries reflect 'just a few bad apples'," Mayer added.

"And it is more than a little troubling that a few research groups and occasional press coverage seem to be the only present checks on one of the most privacy-invasive industries in history."

Microsoft has yet to get back to us with comment.

Copyright © PC Pro, Dennis Publishing


Microsoft drops super cookies
 
 
 
Top Stories
Making a case for collaboration
[Blog post] Tap into your company’s people power.
 
Five zero-cost ways to improve MySQL performance
How to easily boost MySQL throughput by up to 5x.
 
Tracking the year of CIO churn
[Blog post] Who shone through in 12 months of disruption?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
This 4G smartphone costs $219
Sep 3, 2014
It's possible to spend a lot less on a smartphone if you're prepared to go with a brand you ...
Looking for storage? Seagate has five new small business NAS devices
Aug 22, 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
Aug 15, 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Buying a tablet? Microsoft's Surface Pro 3 goes on sale this month
Aug 8, 2014
Microsoft has announced its Surface Pro 3 will go on sale in Australia on 28 August from ...
Apple's top MacBook Pro with Retina is now cheaper
Aug 1, 2014
Apple has updated its MacBook Pro range with faster processors and new pricing, including ...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  69%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  10%
 
Denial of service attacks
  6%
 
Insider threats
  11%
TOTAL VOTES: 1093

Vote