New, Undeletable, Web Cookie

A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie:

Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded — even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.

The Wired article was very short on specifics, so I waited until one of the researchers — Ashkan Soltani — wrote up more details. He finally did, in a quite technical essay:

What differentiates KISSmetrics apart from Hulu with regards to respawning is, in addition to Flash and HTML5 LocalStorage, KISSmetrics was exploiting the browser cache to store persistent identifiers via stored Javascript and ETags. ETags are tokens presented by a user’s browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their ‘km_ai’ user cookies.

Posted on August 15, 2011 at 4:48 AM • 74 Comments