Where technology and gadgets come together and play

Supercookies in the Wild

By on in Privacy & Security

670 words, estimated reading time 4 minutes.

Internet Security 101 Series
  1. Introduction to Hacking
  2. History of Cryptography
  3. Why Privacy Matters
  4. Supercookies in the Wild
  5. Ultimate Guide to SSL for the Newbie
  6. How Internet Security and SSL Works to Secure the Internet
  7. Man in the Middle Hacking and Transport Layer Protection
  8. Cookie Security and Session Hijacking
  9. What is Cross Site Scripting? (XSS)
  10. What is Internal Implementation Disclosure?
  11. Parameter Tampering and How to Protect Against It
  12. What are SQL Injection Attacks?
  13. Protection Against Cross Site Attacks

Previously in 2011, I had written an article about a new web technology called supercookies. Now, a year later, what has changed in the tracking department?

Supercookies provide a means by which you can be tracked online regardless of if you clear your browser cache, temporary internet files or even disable traditional cookies.

Supercookies do not notify you they are storing information or tracking, you have no choice - they will be used whether you like it or not, they track between websites, data is shared with third party even if the privacy policy says it does not and you cannot delete or block them.

At the time of writing that previous article, supercookies were in the infancy stages of development and only used by a few websites such as MSN and Google. Now, a year later, they have evolved into commercial products and they are everywhere. Supercookies are also an easy way for advertisers and trackers to evade the "Do Not Track" option of browsers .

Supercookies are now being used to identify and track you via your internet browser even after you remove standard cookies, delete Flash cookies (Local Shared Objects or LSOs), delete Silverlight storage, delete temporary internet files and wipe out anything else. In fact, they are very difficult to get rid of, because if one of the storage locations gets deleted, itself replicates from another location. It is estimated (at the time of writing) the 1.5% of the top 1 million sites use supercookies (that's 15,000 websites and growing) .

There is another word for software that installs itself onto a computer without permission, is difficult to get rid of, replicates to many locations, and restores deleted versions. That word is computer virus, and I treat supercookies with the same contempt.

So far supercookies have been found to infect the following storage areas on computers:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Silverlight Isolated Storage
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History
  • Storing cookies in HTTP ETags
  • Storing cookies in Web cache
  • window.name caching
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite
  • Probably more yet to be found...

One particular pest is called evercookie which seems to be a method for tracking people, has been around since the start, and there is even a WordPress plugin for it. In their own words:

evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.

evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.

How to Block evercookie and supercookies

Currently, there is no practical way to block supercookies. Using Incognito or Safe Browsing modes will help, but there is no guarantee that they will block supercookies.

The only sure fire method is to disable JavaScript and block the regular cookies as well, but as I found out most websites simply will not function anymore.

Simply disabling JavaScript will not remove already existing supercookies, but they will be inactive due to the disabled JavaScript support.

Another option, although hardly feasible, is to use a virtual machine. When you're finished browsing the web, simply delete the virtual machine and clone a copy from the master. Next time you start from a clean copy and when you're done, delete it again.

My current techniques for blocking supercookies consist of using the FlashBlock plugin which disables all flash unless I specifically allow an applet to run.

I also use AdBlockPro which most ads and tracking, which speeds up browsing and also blocks cookies by advertisers.

I have also disabled JavaScript, only allowing specific sites to run, same for cookies.

Unfortunately, applications such as CCleaner are unable to remove all records of evercookie so I cannot recommend their use at this time.

Last updated on: Saturday 17th June 2017



Have a question or suggestion? Please leave a comment to start the discussion.


Leave a Reply

Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Your email address will not be published.