Persistent Tracking using Supercookies and Evercookies

Normal websites use cookies to keep track of their visitors, either to remember that they are logged in, track statistics, or a number of other purposes. Sites can usually only track users while they are browsing that actual site (apart from Google who tracks you more or less wherever you go), however the past few years have revealed more and more ways web users can be tracked.

The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.

Modern supercookies comprise a number (or all) of the following:

Standard HTTP Cookies

Local Shared Objects (Flash Cookies)

Silverlight Isolated Storage

Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out

Storing cookies in Web History

Storing cookies in HTTP ETags

Storing cookies in Web cache

window.name caching

Internet Explorer userData storage

HTML5 Session Storage

HTML5 Local Storage

HTML5 Global Storage

HTML5 Database Storage via SQLite

Samy Kamkar recently released Evercookie, a JavaScript API for creating extremely persistent browser cookies. The list above is what is what Evercookie uses to create them. If websites were to start using these techniques, they would be able to uniquely identify you (as a user, not a person) each time you visited, even if you deleted your cookies, cleared your cache, and removed your history (or used a private browsing feature). Due to the use of shared objects, such as Flash, some cookies are persistent even across different browsers!

Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).

This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.

Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.

     - Standard HTTP Cookies
     - Local Shared Objects (Flash Cookies)
     - Silverlight Isolated Storage
     - Storing cookies in RGB values of auto-generated, force-cached
        PNGs using HTML5 Canvas tag to read pixels (cookies) back out
     - Storing cookies in Web History
     - Storing cookies in HTTP ETags
     - Storing cookies in Web cache
     - window.name caching
     - Internet Explorer userData storage
     - HTML5 Session Storage
     - HTML5 Local Storage
     - HTML5 Global Storage
     - HTML5 Database Storage via SQLite