Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft has shot dead zombie cookies after a string of bad publicity.
The move comes after a researcher highlighted Microsoft's use of the zombie cookies which are tracking systems that don't actually use cookies, but hold enough information to recreate cookies on a users' machine after deletion.
Jonathan Mayer, a researcher at Stanford University, said he noticed that a browser cookie that had been cleared was "respawned" on live.com - one of Microsoft's sites.
"We dug into Microsoft's cross-domain cookie syncing code and discovered two independent cookie mechanisms, one of which was respawning cookies," he said in a blog post.
"One of the foundational concepts in web security is the cookie same-origin policy: cookies can only be read and modified by the domain that set them," he said.
"If domains collaborate they can trivially circumvent the same-origin policy and share cookies with each other; this practice is called 'cookie syncing'," he added, explaining that Microsoft was legitimately using such syncing because it has multiple domains. He said Microsoft was using a cookie called an ETag, which manages caching and can respawn user identification data.
Microsoft investigation
Microsoft suggested it wasn't aware of the use of the tracking systems and "promptly investigated".
"We determined that the cookie behaviour he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs, in a post on a Microsoft blog.
"We accelerated this process and quickly disabled this code," he said. "At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft."
He said Microsoft has no plans to "develop or deploy" more supercookies.
Other complaints
Microsoft didn't address Mayer's other complaints, however. The researcher said the company offers a way to opt out of behavioural advertising, but said the system only stops the ads from being displayed - not the user from being tracked.
"It does not remove its identifier cookies after a user has opted out, nor does it make any promise to stop tracking," he said.
Mayer also noted that the opt-out link was "invisible" for Chrome and Safari users, a problem the company has since rectified, he said.
"It is increasingly difficult to accept industry claims that recent negative discoveries reflect 'just a few bad apples'," Mayer added. "And it is more than a little troubling that a few research groups and occasional press coverage seem to be the only present checks on one of the most privacy-invasive industries in history."
Microsoft has yet to comment.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.