Digg this story   Add to del.icio.us  
Microsoft Cookies jump Domains
Kevin Poulsen, SecurityFocus 2000-09-12

Privacy advocates laud Microsoft for Internet Explorer's new cookie-controls, while the company tries out a new scheme for tracking web surfers across domains.

Privacy enhancements in Microsoft's newest Internet Explorer beta release don't guard against a stealthy technique that the company has begun using to track visitors to their own web sites, MSNBC.com, Expedia, bCentral, and others.

Through an elaborate shell game of browser redirection and URL encoding, visitors to these web offerings end up with the same unique identification number on each site, even if they've chosen to reject the "third-party cookies" used by Internet advertising agencies like DoubleClick and Engage Technologies to accomplish similar tracking. "It's quite clear that the whole point is to correlate use across domains," says Keith Little, a Lake Chelan, Wash., computer consultant who analyzed the technique. "Your tracking is going to be very thorough and very closely identifiable with some specific individual, or at least some computer."

"Microsoft is abusing its position of power to assign people a unique identifier across its many properties," says Jason Catlett, president of Junkbusters Corp. "They shouldn't do that without consent, and it certainly shouldn't be hidden behind some web server slight of hand."

Catlett and other privacy advocates praised Microsoft earlier this month for their development of a new version of Internet Explorer that allows users a high level of control over cookies--small nuggets of data that web sites can deposit on a computer to identify it on return visits. While cookies have mostly innocuous uses, some web advertising firms deliver them with their ad banners in order to track a netizen's web use and feed them targeted advertising--a practice that has long troubled privacy proponents and wary consumers.

In its default configuration, the enhanced version of Internet Explorer 5.5 prompts users before accepting a cookie from a different domain, so a visitor to one web site will not unknowingly receive a cookie from another. The enhancements also make it easy to configure the browser to reject all such third-party cookies. "We've drawn the line between first and third-party cookies based on the idea that when you go to a web site you have a relationship with that site," says Microsoft spokesman Rick Miller. "The problem with these third-party cookies is that information is hidden and often times is being transferred to that third-party with the user's knowledge and consent."

Microsoft: We're not exempt
Once out of beta testing, if the privacy enhancements are incorporated into the standard distribution of the world's dominant web browser, they could shake up a multi-million dollar Internet advertising industry largely addicted to "Online Preference Marketing." "We believe there is a role for technology solutions in this area, but they should not be overbroad," worries Jeff Connaughton, a spokesman for Network Advertising Initiative, an advertising industry group now in talks with Microsoft about the changes.

The Computer and Communications Industry Association, a computer industry group that supports a Microsoft breakup, even sees a monopolistic tint in the browser change, pointing out that companies with a large number of sites under a single domain can use first-party cookies to do meaningful profiling. "It seems to be set up in a way in which its default configuration would benefit larger web sites, like Microsoft's, to the detriment of smaller web sites that use third-party cookies more," says the organization's Jason Mahler.

"Microsoft is not exempt from this policy, and will not be as we continue to work on this technology," answers Microsoft's Miller. "Currently, cookies are served based on domains. If you go to Microsoft.com and MSN tries to serve you a cookie, you'll be prompted" by the new browser, Miller says.

But while that's true of Microsoft.com, it does not hold for the sites on which Microsoft has implemented the innovative tracking technique.

"Surreptitious" Method
The technique works this way: When a user visits Expedia.com (for example), he or she is redirected to a server at MSID.MSN.com: a machine dedicated to generating and controlling globally unique identifiers (GUIDs), a type of identification number consisting of a long string of hexadecimal digits.

The MSID server generates an I.D. number for the new user, which it then places in a cookie accessible from the MSN.com domain, which the user is momentarily, albeit unknowing, visiting. The server then directs the user's browser back to Expedia, but with the I.D. number tacked on to the URL, where the Expedia server can see it.

Expedia then sets a cookie of its own, this one for the Expedia.com domain, with the same I.D. number.

The Expedia server finishes the job by redirecting again, this time back to itself, but without the I.D. in the web address. "There's no reason to generate that last browser request, except to keep the user from seeing that I.D. number in the location bar at the top of the browser," Little says. "The whole thing is very surreptitious."

The entire process takes a fraction of second, and is never visible to the user. Both the Expedia.com and MSN.com cookies are first-party cookies, but they contain the same identification number, and can be used to correlate visits between the two domains. When the user visits another Microsoft web site for the first time, he or she will once again be briefly redirected to MSID.MSN.com, which will read the I.D. number from the user's MSN.com cookie, and pass it back to the originating site to be copied to yet another cookie.

The technique does not, in and of itself, identify a user by name. In fact, it has no obvious advantages over the much simpler method of using third-party cookies sent with a graphics file, except that it will work with Microsoft's privacy enhanced browser, and with similar third-party cookie blocking features in Netscape and Opera browsers.

GUID Leak
Little, who has published a more detailed description of the technique on his web site, notes a privacy gaffe in Microsoft's implementation of the scheme: the Microsoft I.D. server obeys any properly formatted request to redirect a user to another URL, and appends the user's I.D. number in the process. This allows anyone to create a link to their own web page that will deliver them the Microsoft GUID of each visitor who follows it.

While novel, Microsoft's redirection technique is not unheard of. A 1999 U.S. patent owned by Massachusetts-based Inforonics describes a very similar solution to the problem posed by browsers "configured to receive cookies from no other domains other than the domain in which the browser is currently accessing." A company spokesperson was unaware of Microsoft's system. CNET also holds a patent in the field.

Miller said Monday that he was aware of Microsoft's use of the technique, but had believed it would trigger the same prompt from the Internet Explorer public beta browser as an advertiser's cookie.

    Digg this story   Add to del.icio.us  
Comments Mode:


 

Privacy Statement
Copyright 2010, SecurityFocus