What are supercookies?

Look! Up on the screen! Is it a cache? Is it a cookie? No! It’s a … supercookie?

Although they might sound like something from a cult comic, supercookies in fact are very real and have far greater powers than the normal HTTP cookies that we’re all at least somewhat familiar with.

In late January, supercookies came into the news when Mozilla pledged to “crack down” on them with the release of Firefox 85. This was overshadowed, however, by the announcement that it would also be ending support for Adobe Flash Player – the browser plugin that had a significant role in shaping the early internet.

While the security issues surrounding Flash were well known and fairly straight forward, supercookies are arguably more insidious. It’s worth taking the time, then, to understand the impact they can have on our security and privacy.

How are supercookies different from normal cookies?

Standard cookies are small files installed on your browser that contain data on your search habits, the sorts of ads you like to click on, as well as the length of time spent on a given website.

According to Kevin Curran, senior member of the Institute of Electrical and Electronics Engineers (IEEE) and professor of cybersecurity at Ulster University, cookies can be used for a variety of purposes, from identifying users and storing their preferences, to helping them complete tasks more easily, such as filling out online forms without having to re-enter information.

The problem with cookies is that they’re a bit like an overeager friend – although they make themselves incredibly useful, after a while you might regret how much personal information you’ve shared with them. 

Thankfully, cookies are also easily removable. As Curran explains: “There are different types of cookies, varying from session cookies, which are erased once the session is over, to persistent cookies that persist for a period afterwards.” Regardless of the length of their lifetime, the premise is that they aren’t completely permanent.

Herein lies the main difference between normal cookies and supercookies.

André Thompson, data protection officer and privacy counsel at data analytics provider Truata, says that “unlike regular cookies, supercookies are not stored on user devices”.

“These supercookies are able to recreate a user’s online behaviour from data on their internet connected devices – even when browser cookies are deleted – as the tracking takes place through HTTP headers and not local storage. These trackers can, therefore, abuse local internet caches and connection identifiers to create profiles of data subjects which accepted user privacy behaviours (such as clearing cookies) cannot combat,” he explains.

Bogdan Botezatu, director of Threat Research & Reporting at Bitdefender, highlights that supercookies aren’t even cookies – at least in the technical meaning of the term.

“A supercookie is a general term for a wide range of technologies used to permanently track a user by placing ‘flags’ on the browser or device,” he explains, adding that they are most often used by adtech companies or internet service providers (ISPs).

“Supercookies are much more difficult to block or delete because they don’t use the same approach as cookies. They are using obscure, atypical parts of the browser to store data, such as HSTS caches, Flash Storage and so on.”

Security and privacy

Thanks to the combination of tracking users’ data as well as being difficult to remove, supercookies create unique security and privacy challenges.

Trend Micro senior engineer Simon Walsh identifies user data integrity as one of the prime concerns.

“Malicious actors can potentially extract private information from supercookies and use them to impersonate or tamper with user requests to another website sharing the same top-level domain or public suffix, e.g. .com or .net.,” he warns.

A significant security incident involving supercookies took place in November 2015, when state-backed hackers managed to compromise over 100 websites in an effort to track their victims. According to a report by cyber security company FireEye, the threat actors deployed supercookies onto their targets’ devices, and collected computer and browser configurations as well.

To protect your data from the unwanted scrutiny of supercookies and the threat actors willing to exploit them Thompson recommends keeping your browser up-to-date with the latest version. This, he says, “can isolate data to the specific website it came from, making cross-site tracking difficult and preserving user privacy”.

Legal challenges 

Walsh says that legislation has a role to play in the fate of supercookies, citing a 2016 case between the US Federal Communications Commissions (FCC) and Verizon Wireless, which was accused of violating the privacy of its customers by failing to inform them about its use of supercookies.

Ultimately, Verizon settled the case out of court for $1.35 million (around £970,000), which Walsh describes as a “small fine for them, but one that nonetheless drew attention to [the] growing use of the technology”.

“Closer to home, GDPR stipulates that you can’t track users without their consent. Extending this to supercookies and – importantly – forcing ISPs to implement any measures undertaken in a transparent manner would be most welcome,” he adds.

“While supercookies remain legal for now, it’s encouraging to see newer browsers such as Firefox’s January 2021 release crack down on their use.”

For its part, Mozilla tells IT Pro this is only the beginning of the fight against supercookies. 

“We also have plans for more protections against cross-site tracking, which we will be announcing in the coming weeks.”

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
US fuel pipeline hackers reveal their motive
ransomware

US fuel pipeline hackers reveal their motive

11 May 2021
Trend Micro and Snyk team up to combat open source flaws
vulnerability

Trend Micro and Snyk team up to combat open source flaws

10 May 2021
Virtual desktops and apps for dummies
Whitepaper

Virtual desktops and apps for dummies

10 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021