[Safety Knowledge] Super cookies can break privacy mode and still track user information

Currently, all major browsers offer a privacy protection mode. In this mode, website cookies cannot track the user's identity. For example, Google Chrome offers a feature called "Incognito," while Firefox offers a "Privacy Window" feature.

However, this newly discovered vulnerability will cause the browser's privacy mode to fail. For example, when a user uses a normal browser, shops on Amazon.com or browses Facebook, the user may launch a privacy window to browse a blog with controversial content. If the blog uses the same ad network as Amazon or integrates Facebook's "Like" button, then advertisers and Facebook can know that users are visiting the controversial blog at the same time as Amazon and Facebook.

There is a temporary workaround for this vulnerability, but it is cumbersome: users can delete all cookies before activating privacy mode, or use a dedicated browser to browse in privacy mode entirely.

Ironically, this vulnerability is caused by a feature designed to enhance privacy protection.

If a user uses a prefix https:// in the browser's address bar to encrypt communications from certain websites, some browsers will remember this. The browser saves a "super cookie" to ensure that the next time the user connects to the website, the browser automatically enters the https channel. This memory will persist even if the user has enabled privacy mode.

At the same time, such super cookies also allow third-party web programs, such as advertisements and social media buttons, to remember the user.

Sam Greenhelgh, the independent researcher who discovered the vulnerability, said in a blog post that this feature is not yet used by any company. However, after this method was made public, there was no way to stop companies from doing so.

Eugene Kuznetsov, co-founder of online privacy software company Abine, believes that this "super cookie" will become the next generation of tracking tools. This tool was born out of cookies, but it became more sophisticated. Currently, users always have a unique device identifier and a unique browser fingerprint during browsing, which are difficult to erase.

Internet anonymity has become more difficult due to the existence of "super cookies". Kuznetsov said: "We have seen an arms race on privacy protection. The desire to track Internet users is like a parasite. Anything in your browser is being scrutinized by websites and advertisers, allowing for more tracking. ”

Mozilla has already fixed this in the latest version of Firefox, while Google tends to leave Chrome as it is. Google already knows the problem with "super cookies", but still chooses to continue to enable Chrome's https memory feature. Between security and privacy protection, Google has chosen the former.

Microsoft Internet Explorer does not have such a problem, because this browser does not have a built-in https memory function.

Greenhal also said that on iOS devices, the problem caused by "super cookies" also exists.