Aug 24, 2020
#Cookies: Pr@ctic3 SAf3 Snackz
The Web Has A Way Of Keeping Track Of You
When you visit a website to do your online banking, you may need to enter your login information. Your web browser can actually remember your login name and even your password so that you don’t have to type anything the next time. This is usually when you check the option to “Remember me”. It is very convenient with one click and you are in without needing to type your credentials. That is thanks to cookies, a data file locally stored in a user’s computer that contains settings from websites. Now that doesn’t sound too convenient any more when security could be an issue. What if the cookie was copied by another user? That is definitely not what we want to happen.
Cookies were meant to provide websites with stateful information about their visitors. That would be the user who visited the website to perform their usual tasks like in our example of online banking. A cookie is part of the HTTP protocol used on the world wide web. The purpose of cookies was meant to improve the user’s web experience by allowing the browser to remember specific settings from the last visit (stateful information). Later cookies were developed to collect data about the user, including their login name and password. The data is written inside the cookie file and read by the website via the web browser to process specific data that it contains.
A Deeper Look At Cookies
Cookies are set from the website a user visits and saved as a file on the local computer or device. The data contains stored information about the user, including their activity and usage on the website. Most of this information that is used for tracking was meant to improve user experience and provide analytics back to the website’s developers. This is probably not a big issue to most users, since the data is used by the website for good intents and purposes.
On a Mac (macOS X 10.x.x and higher) the Chrome browser stores cookies in the path:
/Users/vince/Library/Application\ Support/Google/Chrome/Default/CookiesOn Windows computers the path is:
C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\DefaultThe cookie file is an SQLite3 database, a self-contained non-configuration format. This is an open source database that developers can access.
An example entry inside a cookie file could be to remember a particular visitor who visited a website.
UserID A9A4BECE1563883D cookiemonster.comIn the example, the website domain ‘cookiemonster.com’ sets a name value pair of UserID and the value A9A4BECE1563883D. When the web server retrieves this information they can apply settings based on the last visit among other things.
Cookies can be helpful to users in many ways other than just remembering settings from the last visit. On e-commerce websites, cookies can be set to remember purchases by the visitor so they don’t have to re-enter an order from their last visit. Cookies also track the contents of a shopping cart to keep the state of that session visit alive. If the user accidentally hits refresh, the items could all disappear but with cookies it can remember those items.
There are different purposes for cookies. They can keep track of different things that visitors do on a website. There are session trackers which keep track of user login and personal preferences which can be persistent data. There are activity trackers which monitor the parts of the website a visitor goes to the most and other features of the website a visitor often uses. Then there are item trackers, which keep stateful data important for online shopping websites that use carts.
Another example where cookies are used are Internet searches. Google uses cookies to track searches on the popular search engine service for analytic purposes. According to Google:
“Google uses cookies like NID and SID to help customize adverts on Google properties, such as Google Search. For example, we use such cookies to remember your most recent searches, your previous interactions with an advertiser’s adverts or search results and your visits to an advertiser’s website.”
Threats And Risks
Cookies are data structures that do not have executable code or scripts. They do not unleash a payload for attack vectors, but they can be used for attack vectors. They contain data which hackers can use to access personal information about a user. The danger here is the threat of a hacker hijacking a user’s browsing session using the cookie. If the cookie sets logins to websites, the hacker can use that to access a user’s e-mail, online banking and even online shopping session.
Another thing website operators use cookies for is to track which websites a visitor goes to. The cookie can track the visit from a particular URL which the website can then store to a database. This type of tracking is used by marketing firms to find out which websites users visit after going to their website. It is not always nefarious because it can be just for analytic purposes.
Users can disable cookies, but that would change the user experience. Take a “cookie diet” but there are some important things to know. It is required on certain websites, but not all. Computer security company Norton has a guide on how to disable or delete cookies on your computer. Be careful though, because after deleting cookies your browser could suddenly behave strangely. If you were used to seeing a certain background on the website disappear, it was probably due to deleting the cookie information about that setting. Some websites that a user normally login to may require username and password again.
To minimize too much personal data from being stored in cookies, don’t allow a website to remember your username and password. While your actual username and password is not stored in plain text in the cookie (it should not be first of all), it contains an encoding of that data that is sent to the website for authentication. Instead of setting that in the cookie, use a password manager. Browsers like Chrome and Safari have this feature. Another browser feature allows users to clear their cookie cache, which is in the storage location of temporary files. This can be done in the browser’s Settings menu option. In Chrome it is under the Privacy and security -> Cookies and other site data and “Cached images and files”. This deletes the cookies from your browser.
To further protect users who have cookie information set by a website, forced logout and cookie expiration can be set. In the event a cookie was hijacked, when these measures are put in place they can foil attempts of access from unauthorized users. These attempts can also be foiled by 2FA (Two-Factor Authentication) or require re-authentication of a user who is trying to login from a different computer.
Malicious Cookies
Not all cookies are good, unfortunately. First party cookies are often from legitimate websites that just want to improve their visitor’s user experience. There are also third party cookies from rogue websites that set visitors up for other activities. This can be for targeted ads or more sinister purposes. Certain ad banners are notorious for targeting visitors with ads that are actually schemes that attempt to defraud with bogus products. They set cookie data to track potential visitors so they can be targeted with new ads in the future.
Some cookies want to track a visitor’s browsing history and use this data for analytics. It can either be used for good or bad purposes. Sometimes ad buyers want to engage users to make money for another party by making the users click on ads (clickbait). The use of cookies here allows them to track the users.
There are also what are called zombie cookies, which persist on a user’s computer or device. These are the type to be aware of because they can cause harm to the computer or device. They are called zombies because they are like the “living dead”. They can suddenly come back after being deleted. One exploit where zombies first originated was from the Adobe Flash storage bin (a security flaw).
The problem with cookies that track user’s across websites, is it can be used to manipulate content. When a user’s visiting pattern is learned, websites can control how they display information. A certain website can learn a lot about a visitor’s behavior to make new suggestions and even for targeted ads regarding products a visitor likes. This can be a form of manipulation through ads and sales to get a user’s attention and monetize that engagement.
The Cookie Law
Many jurisdictions around the world, like the US and EU, have laws regarding cookies. There are privacy legislation which requires websites to first get consent from visitors to store or retrieve any information on a computer, smartphone or tablet. The website must meet compliance regarding the collection of user data by issuing a disclosure to the visitor with a Terms of Service (TOS) and Privacy Policy. This is required, otherwise the website owner faces fines if they allow access to visitors without disclosing data collection from cookies. Websites must inform their visitors how they collect user data set in cookies.
This is part of an EU directive (May 2011) that gave individuals their rights to refuse the use of cookies which reduces online privacy. Other jurisdictions have followed, so you will now see a message displayed on most websites disclosing how they collect user data. You can agree and the website sets the cookie. Otherwise, a user can opt-out and not be tracked or provide any data. That just affects user experience for the most part. Other websites will use cookies regardless of whether a visitor agrees or not, but they state that in a TOS and Privacy Policy. In this case if visitors don’t want to provide any data they can just leave the website.
Synopsis
The purpose of cookies was to improve the user experience for visitors to websites. The problem with banning or deleting all cookies is it can make navigating the web more difficult. For example when you don’t allow a cookie to be set, it could take you longer to access a website that needs to gather data about your browser, network ID and operating system. If that was set in a cookie the website will know right away. It is for convenience to the user for the most part, but to the website it about analytics or data collection.
A better solution is to enable cookies, but limit the amount of data being shared. You can still disallow websites from setting cookies if you don’t want them to. For online shopping sites use password managers for credentials but allow cookies to be set for item tracking for your convenience. That is if you don’t want the website to lose track of your shopping cart items during your session (cookies track this). Cookies are like beacons too, they track when you visit the website and whether you are active or not. This is required by websites that collect analytics in order to properly report information. For example, Medium needs to track users to see if they are reading an article and check whether there is engagement with a story to properly set the value in an article when paying writers.
Use Internet security software (e.g. antivirus) which can detect malicious cookies. Another layer of defense come from browsers, which include control settings that allow users to decide accepting or opting out of cookies. The browser Firefox provide an option to delete zombie cookies (aka flash cookies). This is why cybersecurity software matters. With antivirus software, cookies that are setting up data for malware can also be detected and prevented.
For the most part cookies are safe when it comes directly from the website (first party cookie). They are delicious too with a tall glass of cold milk. Just be careful about cookies generated outside of the main website. It is the third party cookies being requested that need to be scrutinized. If a user is not sure, the best thing to do is to not accept a cookie to be set and further research whether it is needed by a website. Reject the cookie, but you can still have your fresh milk.
