Jump to content

Zombie cookies etc?


Recommended Posts

How the Internet tracks you...


Here are some things that websites can do to bypass traditional privacy guards put in place by browsers. I wasn%u2019t aware of most of these until I started contracting for an advertising company.


1. Install a %u201Czombie cookie.%u201D This cookie is designed to last forever, even after you clear your cache, history, and cookies. It can do this because it%u2019s stored in Flash, HTML5 local storage, Java, and maybe other places, and repopulates each storage location if any of them is found. (Though see below for a way to get rid of them.) Because of this last feature, the cookie propagates to all browsers installed on the same system if they share Flash/Java data (which generally happens if they%u2019re on the same user account).



2. Bypass the cross-domain AJAX restriction. There are a few well-known techniques to do this including JSONP and using an <img> tag to request a URL. This is significant because a poorly written website can be vulnerable to scripts which send form data to a third party without your knowledge.



3. Bypass the cross-frame restriction using either HTML5 postMessage or a hack involving document.location.hash (which one frame can use to write to another). This is significant because it means that advertisers can potentially read content (and possibly passwords, if they%u2019re unscrupulous) from the parent page and associate it with your ID, even when placed inside an iframe.



4. Query for particular URLs your history. This is an interesting CSS trick, but here%u2019s the template:

a.link1 {background-image: url('http://server.com/url1-not-visited')}
a.link1:visited {background-image: url('http://server.com/url1-visited')}

Then in the HTML document, this link will query the URL:

<a class="link1" href="http://website.com"></a>


If the user has visited the website, a request will be made to






otherwise a request will be made to







And, of course, Javascript allows a page to query many URLs quickly, refining its search pattern as it finds more matches.


5. Buy data from a third party. One of these parties is a company called Rapleaf, which maintains, probably through zombie cookies, a database of user identities and information about them. They can ascertain with some accuracy your age, sex, interests, and possibly more.



6. Determine your position to within a few meters. This is a new HTML5 feature (and properly designed so that you don%u2019t enable it by accident). The idea is that your browser looks for local wifi networks with known locations, then triangulates the location of your computer based on relative signal strengths.


Fortunately, it%u2019s really easy for Linux users to defeat any kind of long-term tracking. Just use strace to look for files opened in write-mode:

$ strace browser 2>&1 | grep '^open(.*WR'


Then use Git to version-control these files. (This defeated the Evercookie when I tried it.) Provided that you start with a clean browser installation, you won%u2019t be carrying around any zombie cookies. (It also has the advantage that you can use different Git branches to have different browser profiles.)







Here was a comment on the blog that might be interesting to all you Linux junkies-


Elazar Leibovich writes:


No. 3 %u2014 September 4th, 2011 at 11:06 am


s/strace/strace -e open/


Makes it quicker


And, what we can't tell you here is what you really don't want to know anyway...

Starwars Analogy:

Stormtrooper: Let me see your identification.

Obi-Wan: [with a small wave of his hand] You don't need to see his identification.

Stormtrooper: We don't need to see his identification.

Obi-Wan: These aren't the droids you're looking for.

Stormtrooper: These aren't the droids we're looking for.

Obi-Wan: He can go about his business.

Stormtrooper: You can go about your business.

Obi-Wan: Move along.

Stormtrooper: Move along... move along.

Ignore it, there is nothing here...


"The struggle is always between the individual and his sacred right to express himself and the power structure that seeks conformity, suppression and obedience."

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.