Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking tools.



The techniques the KU Leuven team identified allowed them to track users across sites by means of the Appcache API; "lesser-known HTML tags"; the Location response-header; various <meta> redirects; Javascript in PDF tables, Javascript's location.href property; and through service workers.

These techniques bypassed the stock browser privacy protections, including the latest, most extensive privacy settings in Firefox; they also worked against popular cookie-blocking/ad-blocking/script-blocking browser extensions.

The good news is that the researchers found no evidence of these techniques being exploited in the wild and they tipped off the browser vendors before going public, which means that we can hope that future browsers will be better equipped to defend against these tactics. The bad news is that until then, we're all vulnerable to unscrupulous websites using these tactics to track us everywhere.

Here's the researchers' catalog of exploits with suggested countermeasures.



To help keep users safe, researchers not only reported bugs to browser vendors but also proposed solutions for rectifying browser APIs and tools to counteract the newly discovered bypasses. These bug reports are documented on a website located at: wholeftopenthecookiejar.eu. The portal also includes a breakdown of each test researchers carried out against each browser, extensions, and what version. The framework used for these tests is also available on GitHub. The KU Leuven academics also warned that the new "same-site cookies" security feature that's been recently added to Firefox, and will most likely spread to other browsers, will not prevent the bypasses they discovered.

Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies [Gertjan Franken, Tom Van Goethem & Wouter Joosen/Catholic University in Leuven]

Academics Discover New Bypasses for Browser Tracking Protections and Ad Blockers [Catalin Cimpanu/Bleeping Computer]

(Image: Usenix Security)