Microsoft drops super cookies

Powered by SC Magazine
 

Cookie syncing uncovered.

Microsoft will stop using so-called "supercookies" on its own sites after a discovery by a Stanford University researcher.

Jonathan Mayer said he noticed that a browser cookie that had been cleared was "respawned" on live.com - one of Microsoft's sites.

"We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies," he said in a blog post.

"One of the foundational concepts in web security is the cookie same-origin policy: cookies can only be read and modified by the domain that set them.

"If domains collaborate they can trivially circumvent the same-origin policy and share cookies with each other; this practice is called 'cookie syncing'," he added, explaining that Microsoft was legitimately using such syncing because it has multiple domains.

He said Microsoft was using a cookie called an ETag, which manages caching and can respawn user identification data.

Microsoft suggested it wasn't aware of the use of supercookies, and "promptly investigated".

"We determined that the cookie behaviour he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs, in a post on a Microsoft blog.

"We accelerated this process and quickly disabled this code," he said.

"At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft."

He said Microsoft has no plans to "develop or deploy" more supercookies.

Other complaints

Microsoft didn't address Mayer's other complaints, however. The researcher said the company offered a way to opt out of behavioural advertising, but said the system only stops the ads from being displayed - not the user from being tracked.

"It does not remove its identifier cookies after a user has opted out, nor does it make any promise to stop tracking," he said.

Mayer also noted that the opt-out link was "invisible" for Chrome and Safari users, a problem the company has since rectified, he said.

"It is increasingly difficult to accept industry claims that recent negative discoveries reflect 'just a few bad apples'," Mayer added.

"And it is more than a little troubling that a few research groups and occasional press coverage seem to be the only present checks on one of the most privacy-invasive industries in history."

Microsoft has yet to get back to us with comment.

Copyright © PC Pro, Dennis Publishing


Microsoft drops super cookies
 
 
 
Top Stories
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
More 4G from Optus in Darwin
Nov 21, 2014
Click to see where Optus has expanded coverage to the suburbs near Darwin.
Optus steps up regional 4G coverage
Nov 20, 2014
Once 700Mhz services are working, Optus claims regional users will have a "faster and more ...
This Huawei 4G phone costs $99
Nov 12, 2014
The $99 Huawei Ascend Y550, available through Vodafone, enters the budget market as one of the ...
4G smartphones: Microsoft's Lumia 830
Nov 7, 2014
Microsoft has announced its flagship Windows Phone, the Nokia Lumia 830 4G, will be available in ...
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 869

Vote