What are supercookies?

Look! Up on the screen! Is it a cache? Is it a cookie? No! It’s a … supercookie?

Although they might sound like something from a cult comic, supercookies in fact are very real and have far greater powers than the normal HTTP cookies that we’re all at least somewhat familiar with.

In late January, supercookies came into the news when Mozilla pledged to “crack down” on them with the release of Firefox 85. This was overshadowed, however, by the announcement that it would also be ending support for Adobe Flash Player – the browser plugin that had a significant role in shaping the early internet.

While the security issues surrounding Flash were well known and fairly straight forward, supercookies are arguably more insidious. It’s worth taking the time, then, to understand the impact they can have on our security and privacy.

How are supercookies different from normal cookies?

Standard cookies are small files installed on your browser that contain data on your search habits, the sorts of ads you like to click on, as well as the length of time spent on a given website.

According to Kevin Curran, senior member of the Institute of Electrical and Electronics Engineers (IEEE) and professor of cybersecurity at Ulster University, cookies can be used for a variety of purposes, from identifying users and storing their preferences, to helping them complete tasks more easily, such as filling out online forms without having to re-enter information.

The problem with cookies is that they’re a bit like an overeager friend – although they make themselves incredibly useful, after a while you might regret how much personal information you’ve shared with them. 

Thankfully, cookies are also easily removable. As Curran explains: “There are different types of cookies, varying from session cookies, which are erased once the session is over, to persistent cookies that persist for a period afterwards.” Regardless of the length of their lifetime, the premise is that they aren’t completely permanent.

Herein lies the main difference between normal cookies and supercookies.

André Thompson, data protection officer and privacy counsel at data analytics provider Truata, says that “unlike regular cookies, supercookies are not stored on user devices”.

“These supercookies are able to recreate a user’s online behaviour from data on their internet connected devices – even when browser cookies are deleted – as the tracking takes place through HTTP headers and not local storage. These trackers can, therefore, abuse local internet caches and connection identifiers to create profiles of data subjects which accepted user privacy behaviours (such as clearing cookies) cannot combat,” he explains.

Bogdan Botezatu, director of Threat Research & Reporting at Bitdefender, highlights that supercookies aren’t even cookies – at least in the technical meaning of the term.

“A supercookie is a general term for a wide range of technologies used to permanently track a user by placing ‘flags’ on the browser or device,” he explains, adding that they are most often used by adtech companies or internet service providers (ISPs).

“Supercookies are much more difficult to block or delete because they don’t use the same approach as cookies. They are using obscure, atypical parts of the browser to store data, such as HSTS caches, Flash Storage and so on.”

Security and privacy

Thanks to the combination of tracking users’ data as well as being difficult to remove, supercookies create unique security and privacy challenges.

Trend Micro senior engineer Simon Walsh identifies user data integrity as one of the prime concerns.

“Malicious actors can potentially extract private information from supercookies and use them to impersonate or tamper with user requests to another website sharing the same top-level domain or public suffix, e.g. .com or .net.,” he warns.

A significant security incident involving supercookies took place in November 2015, when state-backed hackers managed to compromise over 100 websites in an effort to track their victims. According to a report by cyber security company FireEye, the threat actors deployed supercookies onto their targets’ devices, and collected computer and browser configurations as well.

To protect your data from the unwanted scrutiny of supercookies and the threat actors willing to exploit them Thompson recommends keeping your browser up-to-date with the latest version. This, he says, “can isolate data to the specific website it came from, making cross-site tracking difficult and preserving user privacy”.

Legal challenges 

Walsh says that legislation has a role to play in the fate of supercookies, citing a 2016 case between the US Federal Communications Commissions (FCC) and Verizon Wireless, which was accused of violating the privacy of its customers by failing to inform them about its use of supercookies.

Ultimately, Verizon settled the case out of court for $1.35 million (around £970,000), which Walsh describes as a “small fine for them, but one that nonetheless drew attention to [the] growing use of the technology”.

“Closer to home, GDPR stipulates that you can’t track users without their consent. Extending this to supercookies and – importantly – forcing ISPs to implement any measures undertaken in a transparent manner would be most welcome,” he adds.

“While supercookies remain legal for now, it’s encouraging to see newer browsers such as Firefox’s January 2021 release crack down on their use.”

For its part, Mozilla tells IT Pro this is only the beginning of the fight against supercookies. 

“We also have plans for more protections against cross-site tracking, which we will be announcing in the coming weeks.”

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021
Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021