I recently presented a topic on where, why, and how HTTP Cookies are used. The Zombie Cookie is one of the points I wanted to dive deeper into and get to the bottom of these mysterious leftover crumbs.
If you’re unfamiliar with a general HTTP cookie please download the presentation.
A zombie cookie is automatically regenerated even after the user clears or destroys cookies from their browser.
The trick here is that the zombie cookie gets stored somewhere outside the web browser’s dedicated cookie storage.
When a user deletes their cookies (or opts out of cookies) the zombie cookie takes the stored replica and throws it back into the user’s dedicated cookie storage. This makes them painfully difficult to remove.
Where HTTP Cookies are stored on your computer:
- Firefox - Documents and Settings\Windows login/user name\Application Data\Mozilla\Firefox\Profiles\profile folder
- IE - Documents and Settings\<User name>\Local Settings
- Chrome - Documents and Settings\<user name>\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies
Where the zombie cookie replica may hidden on your computer:
- Web history
- HTTP ETags
- Internet Explorer userData storage (starting IE9, userData is no longer supported)
- HTML5: Session Storage, Local Storage, Global Storage, Database Storage via SQLite
- RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Local Shared Objects (Flash cookies)
- Silverlight Isolated Storage
- Cookie syncing scripts that function as a cache cookie and respawn the MUID cookie
Is there a positive case use for zombie cookies?
The only legitimate case that I’ve found for a zombie cookie is to obtain accurate data on tracking how many unique users visit a website. This works because there will always be a persistent cookie on the specific browser recognizing the unique user.
Controversy
Zombie cookies allow the ad serving companies to retrieve information like unique user ID so they can continue tracking personal browsing habits. Some zombie cookies even work across browsers on the same computer.
Verizon was using an Online ad serving agency called Turn, who Facebook, Google, and Yahoo also happen to use. Turn are a huge back-end processor of ads on websites and they used zombie cookies for tracking Verizon customer user habits on their smartphones and tablets.
The issue is this, Turn executives said the only way users can opt out of this always persistent cookie is to install an opt-out cookie on their machine.
Wait, so I’m telling you that to uninstall a cookie a new zombie cookie needs to be installed?!
- Turn said the opt-out cookie is not designed to prevent Turn from collecting data about a user
- This new zombie cookie prevents Turn from showing targeted ads to that user.
- The big issue? The tests showed that even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie as well.
- After much criticism Verizon has finally stopped using the zombie cookie.
Can any developer use a zombie cookie?
YES!
There’s an open source program called evercookie you can use to build a zombie cookie.
https://github.com/samyk/evercookie
Evercookie is a javascript API that produces persistent, respawning cookies in a browser. In 2013, a top-secret NSA document was leaked by Edward Snowden, citing Evercookie as a method of tracking Tor users.
Big brother and sister are watching my friends.
