Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft Security IT

Zombie Cookies Just Won't Die 189

GMGruman wrote in to say "Microsoft embarrassed itself last week when it got caught using 'zombie cookies' — a form of tracking cookies that users can't delete, as they come back to life after you've 'killed' them. Microsoft says it'll stop the 'aberrant' practice. But Woody Leonhard says you ain't seen nothing yet. It turns out HTML5 offers a technical mechanism to give zombie cookies a new lease on life — and the Web browsers' private-browsing features can't stop them."
This discussion has been archived. No new comments can be posted.

Zombie Cookies Just Won't Die

Comments Filter:
  • by elrous0 ( 869638 ) * on Tuesday August 23, 2011 @08:45AM (#37177648)

    Microsoft says it'll stop the abhorrent practice

    Fixed that for them.

    Actually, an even more accurate quote might be:

    Microsoft "says" it'll stop the abhorrent practice

    • by gomiam ( 587421 )
      If aberrant [merriam-webster.com] is abnormal, why should they use abhorrent instead? It actually can be both at the same time, IMO.
    • I think you meant they will "stop" the practice. And by stop, they really mean continue without remorse.

    • Calling "placing cookies" abhorrent seems a bit over the top, no? Call me crazy, but I believe in perspective, and I would reserve "abhorrent" for such things as "mugging an old woman" or "racism".

      • by elrous0 ( 869638 ) *

        Calling "placing cookies" abhorrent seems a bit over the top, no?

        But these are SUPER-cookies.

      • As someone who believes in perspective, you should agree that context is very important. According to Google abhorrent is defined as "Inspiring disgust and loathing" so as far as privacy practices go, it's entirely valid to say it's abhorrent.

  • by billrp ( 1530055 ) on Tuesday August 23, 2011 @08:50AM (#37177728)
    which seems to be the most common solution that's offered on fix-your-own-windows-problems forums
    • Some 9 years ago when I was working for an ISP telephone help desk, our strategy for not working dial-up was basically as follows:

      1) reboot computer. Customer usually tried that already.

      2) Delete and recreate dial-up connection. Fixed 70-80% of the cases.

      3) remove and re-install related network components. Fixed again some 80% of the remaining cases.

      4) tell them that the solution lies in re-installing Windows but that we're not allowed to advice that (first-line help desk) nor that we provide support for t

    • More pocket money (and supposedly obsolete PCs) for me!

      Nuke-and-pave is fast, which is all that matters.

      Fixing Windows installations is like picking shit out of toilet paper. Just because you can doesn't mean you should, and you aren't likely to remove the entire "problem".

  • *nix fix (Score:2, Insightful)

    by Anonymous Coward

    This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

    • True dat! I haven't seen a browser cookie survive a good re-partitioning and OS re-install.
    • by ArcherB ( 796902 )

      This is why it's nice to be able to rm -rf ~/.mozilla and rm -rf ~/.macromedia as a last-ditch effort.

      Rather than nuking it, why not just restore it to a previous, known good state...

      rm -rf ~/.mozilla && rm -rf ~/.macromedia && cp ~/.mozillaGoodCopyWithBookmarksAndStuff ~/.mozilla -R

    • I just link ~/.macromedia and ~/.adobe to /tmp, which is mounted in a ramdisk on my machine. I reboot it fairly often enough that I feel reasonably safe from persistent tracking.

      For ~/.mozilla, I have cookies saved only until reboot except for sites like /. which I use to save logins. Also, extremely judicious use of NoScript. Not sure if it's good enough, but I don't know of anything more that can be done that isn't too heavy-handed.

    • easy to defeat on *NIX. set ownership of ~/.adobe and/or ~/.macromedia with permission 000. presto, no flash crap stored on your computer, unless you're stupid enough to browse the web as root.

      also, Samy Kamkar's "super cookie" is easy to avoid/defeat with firefox. click on the icon to the left of the URL, click "more info" then go to permissions. on "set cookies", uncheck "use default", then block. do the same for "offline storage".

      leave the site (close the tab to be sure), then clean everything from the l

      • There are several forms of 'meta cookie' which can be used to uniquely identify you, and which have nothing to do with either Flash or standard browser cookies. For example, check out Panopticlick [eff.org]. There are also older attacks such as history sniffing [niallkennedy.com] (defeated in modern browsers, but still available in the majority of active browsers). Plus there's permanently cached files (a JS file with an expiry set unreachably far in the future, with a server which responds that the file is always fresh, while the c

  • And run your browser in VMWare, and wipe the VM you run your browser in clean when you exit. Or just don't browse the web anymore, since these shady practices are devaluing the platform as a whole. Which actually might be exactly what Microsoft wants...
  • by Anonymous Coward on Tuesday August 23, 2011 @08:59AM (#37177840)

    And start blaming your browser. If you enable "Private Browsing", and anything lives beyond that session, it can be nothing other than a browser bug.

    • by maxwell demon ( 590494 ) on Tuesday August 23, 2011 @09:05AM (#37177930) Journal

      Flash is an external process and thus bypasses browser settings. It even works cross-browser: A "Flash cookie" (LSO) can e.g. be set in Firefox and then read in Opera.

      For HTML5 features however, I have to agree with you.

      • by Hatta ( 162192 ) on Tuesday August 23, 2011 @09:31AM (#37178276) Journal

        Flash is an external process and thus bypasses browser settings

        So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

        • Flash is an external process and thus bypasses browser settings.

          Flash is an external process and thus bypasses browser settings

          So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

          Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

          • Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

            That is why people that know what they are doing get their content for surprise birthday planning via "trusted" private trackers not flash infected websites.

          • Some limited functionality? Do you realize how many surprise-birthday-planning sites require Flash?

            I'm willing to outlaw birthdays if that's what it takes to eliminate this problem!

        • by ifrag ( 984323 )

          So disable it during private browsing. Better to have real security with some limited functionality than a false sense of security.

          Or how about run Flash in a temporary VM which can be immediately destroyed on exit? If there is a way to have security and functionality I'd prefer that.

        • Can't Mozilla "just" sandbox Flash?

          Or have it run in a chroot jail or so?

          Just thinking. To keep those pieces of thoroughly misbehaving but necessary evil in line.

      • FlashBlock is your friend.

        Unfortunately, it won't cover things in Internet Explorer (duh) or things that you actually DO want to view that use Flash.

        I don't care about Microsoft doing it. If YouTube (read: Google) does it with blatant intent to steal every bit of information they can...... Oh wait, nothing will happen.

        People are too addicted to the things they want and can complain until their blood vessels burst, but they'll continue to use said service.

        I'm sort of wasting logical time posting this. I s

        • Flashblock doesn't work that way, what you need is noscript. The creators of Flashblock specifically state in their FAQ that they don't block LSOs, flash cookies or swf trackers.

      • So the browser shouldn't load the flash plugin, problem fucking solved. Next.

        Yes, it can simply refuse to load flash until a version that plays nicely is made, its not hard, in fact, its really fucking easy actually.

        • Disabling flash for everyone on your machine is easy. Arguing with someone who uses the same PC AND/OR re-enabling it for some emergency when time is important, is hard.

          And you'd be surprised how many places require it. Streetview requires it, Yahoo mail has some hidden attachment functionality, and Youtube's HTML5 video fails, and sucks when it actually FINDS any video that is available in that format... iPhones load all flash-lacking youtube videos OK, but full-size PC implementations are utterly unusable

    • Private browsing isn't so private.. http://panopticlick.eff.org/ [eff.org]

      You can be pretty thoroughly tracked as an individual without cookies at all..

  • A question (Score:4, Insightful)

    by jandersen ( 462034 ) on Tuesday August 23, 2011 @09:01AM (#37177878)

    Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

    • a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

      When Slashdot ran the article about the JavaScript + HTML5 music player, that was my first impression. I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

      • I remember back when scripts reading local files was regarded as a security hole in the browser, not a "cool new feature."

        When the user explicitly consents to use of a specific local file or folder, it's a "cool new feature". When the user does not consent, it's a "security hole". Think of it as like a file upload control in an HTML form, but it works even when a web application is running offline from cache.

        • You need go back before Firefox (or Firebird, or Phoenix) existed, before the term "Web Applications" was coined, and AJAX was still a Microsoft proprietary technology in IE 4.0 called MSXML. Back then you couldn't touch the file input contents until it was posted back to the server since it was considered a security risk.

          As for what I was referring to, it wasn't using an offline cache for its web application. The media player had a file input form element (what you called a 'file upload control') that
          • by tepples ( 727027 )

            before the term "Web Applications" was coined

            Is there a date for that? eBay has always been a web application even before JavaScript postbacks were popular.

            Back then you couldn't touch the file input contents until it was posted back to the server since it was considered a security risk.

            The perceptions and uses of the web have changed so much over the past few years that I forget why they considered it such. But nowadays people rely on less jarring transitions between online use and offline use, especially on laptops and tablets, and JITs have made JavaScript at least speed-competitive with Java if not C++.

            The media player had a file input form element [...] that read the file contents off your drive when you selected one from the file dialog. No posting back to the server or submitting the form was required, just simply picking a file.

            And the key point is that the user explicitly consented to the use of the c

    • by tepples ( 727027 )

      Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

      For one thing, the video, audio, and canvas elements mean not having to deal with Adobe's (historically?) inefficient and security-defective software. For another, CACHE MANIFEST and localStorage allow using a subset of a web application offline for a short period, such as on your laptop while riding the bus, while ceding less control over your system than you would if you were to install a native application.

    • Re:A question (Score:5, Insightful)

      by Anonymous Brave Guy ( 457657 ) on Tuesday August 23, 2011 @10:44AM (#37179422)

      Is there any good reason why one would want to use HTML5 at all? I mean, as a user?

      That's a very fair question, but it's a slightly loaded one. As a user, there is little benefit to any particular web technology, whether it's HTML, CSS, JavaScript, Flash or anything else. As a user, what you care about is results. However, those results depend on what developers can build, typically within a certain amount of time and budget.

      If you have new technologies that allow developers to do new things, and those things benefit the user, then the user wins. However, if you have new technologies that allow developers to do old things in newer, easier, faster ways, and those things benefit the user, then the user also wins, particularly if it becomes viable for developers to make something useful in a cost-effective way when they could have done it before but didn't because it was too expensive in some respect.

      And from that point of view, HTML5 tools like canvas and media tags are a big step up for some jobs over using something like Flash or Java applets.

      That said, I strongly agree that browsers shouldn't be ceding any sovereignty over their users' systems to remote code by default.

      And that said, the most devious tracking mechanism I have yet encountered didn't rely on any sort of cookie/local storage technology. It was essentially based on how various web-related protocols handle caching, it's hard to defeat without getting rid of caching, and you really don't want to get rid of caching. It is possible for browsers to avoid falling into the trap, and now that the attack vector has been identified I expect they'll do something about it.

      Then again, as you read this your browser is probably advertising an almost unique fingerprint that could track you anywhere on the Web without storing anything on your machine at all, every time it sends request headers, and despite this being a well-known problem for quite some time, the browser developers haven't done much about it yet. Until they do, fighting against tricky little local storage vectors is hitting the 1% problem, not the 99% problem...

      • Double plus on your last paragraph -- browser headers are really really unique at this point: http://panopticlick.eff.org/ [eff.org]

        Using cookies is just simpler for advertisers, but banning those on the client without enforcing some "do not track" at the supplier end won't solve the problem. They'll just move to browser headers..

    • by tlhIngan ( 30335 )

      Is there any good reason why one would want to use HTML5 at all? I mean, as a user? So far it all seems to be negative - a load of giving away user control and sovereignty over your own system, packaged as "Wow, cool new feature".

      As opposed to now, where the user doesn't have control over Flash? Sure Adobe's FINALLY added the ability to clear Flash cookies - after how many years of every browser supporting it?

      If you're a geek, HTML5 lets you have fine control over everything - if you don't want to run Javas

  • No problem (Score:5, Informative)

    by maxwell demon ( 590494 ) on Tuesday August 23, 2011 @09:01AM (#37177880) Journal

    The "standard" Firefox plugins already take care of it.

    No DOM storage without JavaScript, no Flash cookies without Flash -> NoScript
    Most tracking cookies come from ad networks -> AdBlock Plus
    Most tracking cookies come from third party domains -> RequestPolicy.
    And if you get one anyway, you can also get rid of it -> BetterPrivacy.

    • Re:No problem (Score:4, Interesting)

      by geminidomino ( 614729 ) on Tuesday August 23, 2011 @09:12AM (#37178032) Journal

      Add in PasswordMaker to that list and you've pretty much summed up why I can never leave Firefox, no matter how batshit-loco the design team gets. :(

      • Konqueror + KDE wallet are missing "only" NoScript.

        But the KDE combo has Kget, what, now that the Firefox is so braindead at downloading things, is quite usefull.

        • Does KDE Wallet generate passwords programatically, without the user getting involved (other than asking it to. PasswordMaker is nice like that. Right-click->"Populate this field" and done).

          Might be worth looking into, though I spend more time working on Windows lately...

    • And how many of those will get perpetually broken by Mozilla adopting speed-of-light updates?
  • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Tuesday August 23, 2011 @09:06AM (#37177940) Homepage

    OK so the article cites localStorage as a problem, but Chrome at least treats it the same as cookies when clearing private data, and in incognito it shouldn't persist localStorage data across sessions (not sure about other browsers).

    It also mentions that MS was sticking a JS file in the browser cache to recreate a cookie. This doesn't make sense since any file removed from the cache is just redownloaded, unless a custom version of the JS file is crafted for every client and is set to create a specific cookie value (but this isn't clarified in the article). But it sounds more like ETags are used, having nothing to do with the JS file being cached or not. I'm not sure how ETags work but I can't imagine they would be effective in incognito mode either since cache is never kept (and the article infers this is necessary).

    Did I miss anything?

  • I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

    On the other hand you, as a user, are clearly not the customer of a browser developer company. The customers seem to be the advertisers, CAs, anybody that wants to control what you are doing. You, as a user, are

    • Re:ZOMBIE BROWSERS (Score:4, Interesting)

      by geekmux ( 1040042 ) on Tuesday August 23, 2011 @09:33AM (#37178288)

      I am sorry, but just talking about cookies doesn't go far enough to describe what is happening here. It is about zombie browsers, that are just building in more and more functionality to turn your computer into a device that is not controlled by you, but is controlled by various special interests.

      From tablets to cell phones, tell me something I don't know. A lack of control down into the lower levels of these types of devices has been lacking for some time now.

      There needs to be a way for the user to control what is happening on his machine, otherwise it's not a general purpose computer, but some proprietary gadget that you have there...

      Uhhh, yeah..which is exactly their intent with this design. In much the same way that human voice interaction is dying, so is the "personal" computer. What the hell do you need "flexibility" for when every device will be reduced to a pseudo-tablet in the near future, with everything moving to the "cloud"? Allow the functionality, introduce multiple attack vectors and nightmares for support. Lock it down, and you piss off the user community who gets pissed off every time they get a virus or malware infection. Of course, they got infected because they want flexibility.

      Since we already know why you should draw a line, the question is where do you draw the line.

    • You're 100% correct.

      enableHumor();

      Let me ask the question that creates a loopback to itself over and over (especially in the USA): "Where do I $BUY$ the browser that doesn't allow any of this and enables me to view an ad-free Internetzzz?"

      "Wait, you meant that only YOUR ads wouldn't show? But your advertisement said your browser blocked advertisement if I bought it! Weird wording sold your product, you crafty people, you. Okay, so how do I get a version that really blocks all ads? Oh, an add-on. Weird

  • Microsoft disgust me. After decades of this sort of deceitful behaviour, it is evidently still too much to expect Microsoft to actually do the 'right thing' in the first place.

    Even without any sort of ethics, they're also too stupid to actually learn their lesson that all these scams that Microsoft repeatedly perpetrate on their own customers always eventually get discovered and backfire with far more loss of face and therefore sales than presumably they gain from doing the thing in the first place.

  • by kaizendojo ( 956951 ) on Tuesday August 23, 2011 @09:20AM (#37178148)
    Why is it that the only company mentioned here is Microsoft, when in fact the original research article shows this to be a lot more wide spread by some big names - none of which were mentioned here. From the Stanford article (http://cyberlaw.stanford.edu/node/6695): "We also examined a series of URL lists (spreadsheet) that contain 15,511 entries. The URLs and interest segments range greatly. Some URLs are for a landing page; others are for a specific page. Some interest segments are broad; others are fine-grained. A few example segments:


    Segment 758: discount sites including Groupon and eBay Daily Deals Segment 876: sites about coffee, including Dunkin' Donuts, Folgers, and Starbucks Segments 984-989: home improvement sites including Home Depot and Grainger Segment 2701: pages about the Ford Fiesta Several interest segments are highly sensitive:

    Segment 760: pages about getting pregnant and fertility, including at the Mayo Clinic Segment 2640: pages about menopause, including at the NIH and the University of Maryland Segment 2014: pages about repairing bad credit, including at the FTC Segment 2265: pages about debt relief, including at the FTC and the IRS"

    Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed? That we we can all be aware of just how widespread an issue this is instead of just another "Microsoft is Evil" piece.
    • by Tim C ( 15259 )
      Actually, nobody said anything about anything abhorrent, the word used was aberrant [cambridge.org]. Of course if they had done as you ask, that really would be aberrant behaviour round here...
    • Please folks - If you're going to bring this to our attention, how about leaving your obvious biases aside and tell the whole story so we can be truly informed?

      Indirect quote (*snort*):

      *temper tantrum*
      "Because there's no ca$h in that!!!! I want money and I'm gonna say what I want to get that from you, you person who is easily deceived by want, you. My daddy taught me that!" :)

  • Can't you setup browsers to prompt to create local storage?

    • by Sloppy ( 14984 ) on Tuesday August 23, 2011 @09:39AM (#37178362) Homepage Journal

      Can't you setup browsers to prompt to create local storage?

      The article does a major disservice to everyone (and I wish we could mod it down) by making up the term "zombie cookies." This new bullshit term hides what's going on and makes us all a little bit stupider. All I have to do to answer your question, is tell you what the article is really about. Instead of making up a bullshit term to confuse you, I'll use a descriptive term.

      Ready?

      Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

      See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies. Now instead of misleading people into thinking their browsers have a problem with cookies and other local storage, people see that the real problem they have with their browsers is plugins, which allows them to run native code that totally bypasses all the browsers' policies.

      Flash cookies. Watch all the questions disappear .. but oops .. all the traffic to the fucking article disappears too, since people don't have to click through, read the first article that makes the weird reference to zombies, then click through to another article that explains WTF "zombie cookies" are about.

      Slashdot should not have linked to this piece of shit.

      • by macshit ( 157376 )

        Flash Cookies. The article is about websites caught using Flash cookies instead of browser cookies.

        See, asshole-who-wrote-the-article, that wasn't hard. Flash cookies.

        Soooooo, can't you just delete the Flash cookie directory? That seems like it'd nuke 'em pretty good...

      • by Inda ( 580031 )
        TFA was also talking about HTML5 and its ability to perform local storage.

        Was the article that shit? Have I really been duped? Twice?
      • by BitZtream ( 692029 ) on Tuesday August 23, 2011 @10:12AM (#37178880)

        It actually wasn't about flash cookies.

        It was about using browser cache as storage medium by doing some neat tricks on the server to get the browser to keep a javascript file in cache, which inturn functions as a cookie when used by various pages that reference it.

        Page requests cookie.js, the server then serves cookie.js with a cache expiry of a hundred years into the future, and says it hasn't changed in a hundred years either.

        Your browser caches it and then doesn't request a new copy for a 100years, why should it, it was told the file isn't going to change.

        The data in the file now serves as a unique ID which can be used to associate your browsing habits.

        THAT IS A ZOMBIE COOKIE. It has nothing to do with flash. This isn't new, a friend of mine and I discovered this years ago by accident due to a bug in a web app we were working on.

      • by Pionar ( 620916 )

        Can we mod this down, please? It's completely wrong, The Microsoft thing has nothing to do with Flash cookies.

  • by neokushan ( 932374 ) on Tuesday August 23, 2011 @09:30AM (#37178250)

    A lot of commenters here seem to be taking what I would consider as extreme measures in order to avoid these cookies. Running your browser in a VM which resets each time you close it? Installing numerous addons (I see someone listed 4 you need to install to cover yourself)? Does anyone else not think that perhaps instead of avoiding the issue, it should be tackled head on?

    What I mean is - if this is such a serious issue, why are we standing by just letting it happen when we could be petitioning the various standards committees, plugin developers and browser manufacturers to do something about it? The so-called zombie cookie (or Supercookie) exists because we let it exist. It's clearly an exploit in the way various technologies work together and it should be treated as such, i.e. patched until it can't be done any more.

    Furthermore, any company that uses this tactic should be taken to court since it's a clear and deliberate violation of privacy. I.e. if I decide to delete a cookie, I'm making it explicitly clear that I want it gone - I'm opting OUT, so keep it that way.

    • by Tailhook ( 98486 )

      why are we standing by

      Self interest explains this. If cookies cease to `work' for the purposes of the ad networks then they'll make sites cease to work for those of us that thwart them. They're footing the bill for a lot of the `Internet', including the site you're reading now, so they call the shots. Since cookies still work for their purposes I get what I want with little bother, while everyone else has their every click correlated to their profile.

      I don't want some grand solution that puts everyone at parity with me, becau

  • by Toonol ( 1057698 ) on Tuesday August 23, 2011 @09:31AM (#37178274)
    I'm mostly glad to see the implementation of HTML5 everywhere, but it has some problems.

    People thought that you could get rid of a lot of annoyances by increasing HTML5's capabilities to become more on par with Flash. Flash could be ditched. However, all it really means is that all the nuisances that were made in Flash (animated and noisy ads, commercials, persistent cookies, etc.) will now be made in HTML.

    Flash wasn't really the problem... it was just one of the vectors FOR the problem. Now, HTML5+Javascript will take Flash's place in the eyes of marketers and spammers everywhere.
    • This has absolutely 0 to do with HTML5 and works in any browser since (and including) Netscape Navigator.

      It does not however get around private browsing (at least not by itself, current flash implementations would allow it to do so however)

  • Please correct me if I am wrong on this; but it would seem that, in principle, it would be quite tractable to generate a 'local persistence profile' tracing the activity generated by loading a URL as a series of addition, deletion, and modification operations to the state that existed before the URL was loaded(in the same way the various browsers' dev tools allow you to trace the network activity and script execution associated with loading a URL). With that, the user would have broad power(limited largely
  • I just change the permissions on my cookies file to read only.

  • Invisibility is futile. We need fake cookies, or randomly collected cookies, so that the advertising value of a cookie falls, i.e. "information inflation". Sure, Vehix knows now that I was car shopping, but what if EVERYONE had a copy of the Vehix search on their Html? What if in addition to the car I was really searching for, my browser held a record of every other car I wasn't interested in? Why can't we just run a random program, searching for random words, in the background, loading up on Zombie co
    • Greasemonkey is a plug-in for Firefox that allows automatically executing your own scripts whenever you go to URLs that match a given pattern. You could easily write a script that looks at document.cookie and alters whatever cookies it sees. The only hard part would be deciding which cookies to overwrite, and how.
    • something like this? [cnet.com]

      if major browsers were forced to add this feature, the tiny background randomizing auto browser baking cookies at incomprehensible rates... I wonder what the demographics would be understood as by trendspotters... would anyone notice?

Keep up the good work! But please don't ask me to help.

Working...