Although they might sound like something from a cult comic, supercookies in fact are very real and have far greater powers than the normal HTTP cookies that we’re all at least somewhat familiar with.
In late January, supercookies came into the news when Mozilla pledged to “crack down” on them with the release of Firefox 85. This was overshadowed, however, by the announcement that it would also be ending support for Adobe Flash Player – the browser plugin that had a significant role in shaping the early internet.
While the security issues surrounding Flash were well known and fairly straight forward, supercookies are arguably more insidious. It’s worth taking the time, then, to understand the impact they can have on our security and privacy.
How are supercookies different from normal cookies?
Standard cookies are small files installed on your browser that contain data on your search habits, the sorts of ads you like to click on, as well as the length of time spent on a given website.
According to Kevin Curran, senior member of the Institute of Electrical and Electronics Engineers (IEEE) and professor of cybersecurity at Ulster University, cookies can be used for a variety of purposes, from identifying users and storing their preferences, to helping them complete tasks more easily, such as filling out online forms without having to re-enter information.
The problem with cookies is that they’re a bit like an overeager friend – although they make themselves incredibly useful, after a while you might regret how much personal information you’ve shared with them.
Thankfully, cookies are also easily removable. As Curran explains: “There are different types of cookies, varying from session cookies, which are erased once the session is over, to persistent cookies that persist for a period afterwards.” Regardless of the length of their lifetime, the premise is that they aren’t completely permanent.
Herein lies the main difference between normal cookies and supercookies.
André Thompson, data protection officer and privacy counsel at data analytics provider Truata, says that “unlike regular cookies, supercookies are not stored on user devices”.
“These supercookies are able to recreate a user’s online behaviour from data on their internet connected devices – even when browser cookies are deleted – as the tracking takes place through HTTP headers and not local storage. These trackers can, therefore, abuse local internet caches and connection identifiers to create profiles of data subjects which accepted user privacy behaviours (such as clearing cookies) cannot combat,” he explains.
Bogdan Botezatu, director of Threat Research & Reporting at Bitdefender, highlights that supercookies aren’t even cookies – at least in the technical meaning of the term.
“A supercookie is a general term for a wide range of technologies used to permanently track a user by placing ‘flags’ on the browser or device,” he explains, adding that they are most often used by adtech companies or internet service providers (ISPs).
“Supercookies are much more difficult to block or delete because they don’t use the same approach as cookies. They are using obscure, atypical parts of the browser to store data, such as HSTS caches, Flash Storage and so on.”
Security and privacy
Thanks to the combination of tracking users’ data as well as being difficult to remove, supercookies create unique security and privacy challenges.
Trend Micro senior engineer Simon Walsh identifies user data integrity as one of the prime concerns.
“Malicious actors can potentially extract private information from supercookies and use them to impersonate or tamper with user requests to another website sharing the same top-level domain or public suffix, e.g. .com or .net.,” he warns.
A significant security incident involving supercookies took place in November 2015, when state-backed hackers managed to compromise over 100 websites in an effort to track their victims. According to a report by cyber security company FireEye, the threat actors deployed supercookies onto their targets’ devices, and collected computer and browser configurations as well.
To protect your data from the unwanted scrutiny of supercookies and the threat actors willing to exploit them Thompson recommends keeping your browser up-to-date with the latest version. This, he says, “can isolate data to the specific website it came from, making cross-site tracking difficult and preserving user privacy”.
Legal challenges
Walsh says that legislation has a role to play in the fate of supercookies, citing a 2016 case between the US Federal Communications Commissions (FCC) and Verizon Wireless, which was accused of violating the privacy of its customers by failing to inform them about its use of supercookies.
Ultimately, Verizon settled the case out of court for $1.35 million (around £970,000), which Walsh describes as a “small fine for them, but one that nonetheless drew attention to [the] growing use of the technology”.
“Closer to home, GDPR stipulates that you can’t track users without their consent. Extending this to supercookies and – importantly – forcing ISPs to implement any measures undertaken in a transparent manner would be most welcome,” he adds.
“While supercookies remain legal for now, it’s encouraging to see newer browsers such as Firefox’s January 2021 release crack down on their use.”
For its part, Mozilla tells IT Pro this is only the beginning of the fight against supercookies.
“We also have plans for more protections against cross-site tracking, which we will be announcing in the coming weeks.”
