'Zombie cookies' won't die: Microsoft admits use, HTML5 looms as new vector

Despite lawsuits, bad publicity, and Adobe's promise to end their use in Flash, zombie cookies persist and could find a new host in HTML5

One year ago this week, I wrote about zombie cookies, describing how Disney, MySpace, and NBC Universal had just been sued for using zombie cookies to track people even if they have gone to great lengths to disable, block, or delete cookies. Seven months ago, I mentioned that Adobe had taken up the pitchfork and vowed to make Flash zombie cookies a thing of the past.

So it's pretty shocking that Jonathan Mayer, a Stanford researcher, caught Microsoft using both a cache-based zombie cookie and a more advanced type of persistent "supercookie" to track folks even if they blocked or deleted browser cookies. Microsoft surreptitiously tracked users who had the temerity to visit MSN.com (in the United States, Canada, and Spain), the U.S. English home page of www.microsoft.com, or the Microsoft Store.

Perhaps even scarier, as HTML5 gains traction: Its local storage is a great feature, but one wide open for abuse for such items as zombie cookies. And Internet Explorer's InPrivate Browsing, Firefox's Private Browsing, and Chrome's Incognito browsing modes won't protect you from the ETag form of zombie cookies or from HTML5-based zombies.

The controversy over zombie cookies continues to play out in the courts as well. Hulu and Web-tracking company Kissmetrics were sued last month (PDF) for using the ETags technique in a zombie redux uncovered by University of California at Berkely researchers, according to Jennifer Granick at ZwillGen. That case came despite the legal warning issued last year when Clearspring and Quantcast, the primary defendants in the first zombie cookie class-action lawsuit, settled last December, paid $2.4 million for their transgressions.

As for Microsoft getting caught with its hand in the zombie cookie jar, the company was quick to disavow the behavior, as Computerworld reported. Mike Hintz, Microsoft's associate general counsel, said, "We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued."

Indeed.

Mayer found two zombielike mechanisms, both implemented by a script called wlHelper.js. By design, wlHelper.js is supposed to make it possible for Microsoft to track a user across several different Microsoft domains. There's nothing particularly fattening, illegal, or immoral about that -- but making the cookies persistent put Microsoft's behavior in a decidedly gray area.

The first approach creates a cookie, then sticks a copy of the cookie along with wlHelper.js in the browser's cache. If the user deletes the cookie but doesn't clear the browser cache, wlHelper.js jumps back and re-creates the cookie.

The second approach, called ETags, uses a clever trick to store the cookie in the browser cache by having the cache store a bogus version number, which can be subsequently retrieved. Once again, if the user deletes the cookie but doesn't clear the browser cache, wlHelper.js is smart enough to retrieve the old cookie from the bogus version number. According to Mayer, this technique was first observed in the wild just two weeks ago.

Mayer found copies of wlHelper.js in these sites:

  • http://www.microsoft.com/en-us/default.aspx
  • http://www.microsoftstore.com/store/msstore/DisplayHomePage
  • http://www.msn.com
  • http://ca.msn.com
  • http://es.msn.com

If you visited one of those sites, wiped out your cookies, and then visited another, your cookies came back.

This story, "'Zombie cookies' just won't die: Microsoft admits use, and HTML5 looms as new vector," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies