IE lets through tough cookies

Sep 21, 2010 |

San francisco, Sept 20: If you rely on Microsoft’s Internet Explorer’s privacy settings to control cookies on your computer, you may want to rethink that strategy.

Large numbers of Web sites, including giants like Facebook, appear to be using a loophole that circumvents IE’s ability to block cookies, according to researchers at CyLab at the Carnegie Mellon University School of Engineering.

A technical paper published by the researchers says that a third of the more than 33,000 sites they studied have technical errors that cause IE to allow cookies to install, even if the browser has been set to reject them. Of the 100 most visited destinations on the Internet, 21 sites had the errors, including Facebook, several of Microsoft’s own sites, Amazon, IMDB, AOL, Mapquest, GoDaddy and Hulu.Cookies are used to store information about a user or computer’s Web use so sites can customize that user’s experience, including what ads they see. So-called persistent or tracking cookies are data placed not by the site visited, but by other third-party Web sites that have placed content or advertising on the visited Web page. These types of cookies can stay on computers for long periods of time and gather data about surfing habits, and have long raised hackles among those concerned about privacy online.

The loophole resides deep in an exchange of data between browser and site. Normally, Internet Explorer checks the privacy policy of a site to see if it complements the browser’s own security settings.

This checking is done through “compact policies”: lines of computer code (in this case, three- or four-letter codes) that reflect the content of the tomelike privacy policies that sites have written out in English. For illustrative purposes, imagine an interaction between browser and site that goes something like this:

Browser: I don’t allow cookies that store personally identifiable information that could be used to contact me without permission.

Site: I do have some cookies to place here, but none do that.

Browser: That sounds fine. Come on in.

Microsoft’s IE browser uses compact policies to block and control certain cookies by default with its “medium” privacy setting. Browsers like Chrome, Firefox and Safari have simpler security settings. Instead of checking a site’s compact policy, these browsers simply let people choose to block all cookies, block only third-party cookies or allow all cookies.

The loophole sites are using to evade IE’s cookie blocker shows up in the process the browser uses to check compact policies. Internet Explorer checks only for codes that indicate a site doesn’t have the right privacy protections. If it finds a compact policy with bad inputs — say, the codes are wrong or there aren’t enough of the codes to complete a proper policy (at least five) — it simply lets the cookies install.

Post new comment

<form action="/comment/reply/33793" accept-charset="UTF-8" method="post" id="comment-form"> <div><div class="form-item" id="edit-name-wrapper"> <label for="edit-name">Your name: <span class="form-required" title="This field is required.">*</span></label> <input type="text" maxlength="60" name="name" id="edit-name" size="30" value="Reader" class="form-text required" /> </div> <div class="form-item" id="edit-mail-wrapper"> <label for="edit-mail">E-Mail Address: <span class="form-required" title="This field is required.">*</span></label> <input type="text" maxlength="64" name="mail" id="edit-mail" size="30" value="" class="form-text required" /> <div class="description">The content of this field is kept private and will not be shown publicly.</div> </div> <div class="form-item" id="edit-comment-wrapper"> <label for="edit-comment">Comment: <span class="form-required" title="This field is required.">*</span></label> <textarea cols="60" rows="15" name="comment" id="edit-comment" class="form-textarea resizable required"></textarea> </div> <fieldset class=" collapsible collapsed"><legend>Input format</legend><div class="form-item" id="edit-format-1-wrapper"> <label class="option" for="edit-format-1"><input type="radio" id="edit-format-1" name="format" value="1" class="form-radio" /> Filtered HTML</label> <div class="description"><ul class="tips"><li>Web page addresses and e-mail addresses turn into links automatically.</li><li>Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd></li><li>Lines and paragraphs break automatically.</li></ul></div> </div> <div class="form-item" id="edit-format-2-wrapper"> <label class="option" for="edit-format-2"><input type="radio" id="edit-format-2" name="format" value="2" checked="checked" class="form-radio" /> Full HTML</label> <div class="description"><ul class="tips"><li>Web page addresses and e-mail addresses turn into links automatically.</li><li>Lines and paragraphs break automatically.</li></ul></div> </div> </fieldset> <input type="hidden" name="form_build_id" id="form-e7b146d6c4a19c42682544e0d661668c" value="form-e7b146d6c4a19c42682544e0d661668c" /> <input type="hidden" name="form_id" id="edit-comment-form" value="comment_form" /> <fieldset class="captcha"><legend>CAPTCHA</legend><div class="description">This question is for testing whether you are a human visitor and to prevent automated spam submissions.</div><input type="hidden" name="captcha_sid" id="edit-captcha-sid" value="85853195" /> <input type="hidden" name="captcha_response" id="edit-captcha-response" value="NLPCaptcha" /> <div class="form-item"> <div id="nlpcaptcha_ajax_api_container"><script type="text/javascript"> var NLPOptions = {key:'c4823cf77a2526b0fba265e2af75c1b5'};</script><script type="text/javascript" src="http://call.nlpcaptcha.in/js/captcha.js" ></script></div> </div> </fieldset> <span class="btn-left"><span class="btn-right"><input type="submit" name="op" id="edit-submit" value="Save" class="form-submit" /></span></span> </div></form>