Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Internet Explorer SuperCookies bypass P3P and cookie controls

From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 15 Jan 2002 09:59:40 -0500
Introduction
------------

There is a significant privacy problem with Internet Explorer 
because of a design flaw in the Windows Media Player (WMP).  Using 
simple Javascript code on a Web page, a Web site can grab the 
unique ID number of the Windows Media Player belonging
to a Web site visitor.  This ID number can then be used just 
like a cookie by Web sites to track a user's travels around 
the Web.  

However this ID number becomes a SuperCookie because it can be used 
by Web sites to bypass all of the new privacy and P3P protections 
that Microsoft has added to Internet Explorer 6 (IE6).  IE6 ships 
today with all Windows XP  systems.  SuperCookies also work in all 
previous versions of Internet Explorer with all older versions of 
Windows.

Some of the other features of SuperCookies include:

   - There appears to be no method of blocking 
     SuperCookies from a Web site except to uninstall
     Windows Media Player or to turn off JavaScript.

   - All Web sites get the same ID number so they
     can easily exchange information about a user
     much like third-party cookies are used today
     by ad networks and Internet marketing companies.

   - Even if someone is using a cookie blocker add-in,
     SuperCookies will still work.
     
   - If a user has deleted cookies from his or her computer
     to stop tracking, a Web site can restore an
     old cookie value from this ID number.  Once the
     cookie value has been restored, new tracking data
     can be combined with tracking data that was 
     previously collected by the Web site.


Demo Page
---------

I've set up a simple demo page that shows the
issue:

   http://www.computerbytesman.com/privacy/supercookiedemo.htm

This demo stills works even if the WMP option "Allow 
Internet sites to uniquely identify your player" is 
turned off.  This option controls when the WMP ID number
is given out to Web sites when downloading streaming audio
or video files, but does not appear to stop JavaScript 
programs from getting this number.


Technical Details
-----------------

When the Windows Media Player is installed on a computer, a 
unique ID number in the form of a GUID is assigned to the player. 
This ID number is stored in the Windows registry.  The ActiveX 
interface to the Windows Media Player allows any JavaScript 
Program to retrieve the ID number using the property "ClientID".

The following example HTML and JavaScript code illustrates how 
easy it is to retrieve the ID number:

<OBJECT classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95" 
ID=WMP WIDTH=1 HEIGHT=1></OBJECT>

<script>
alert(document.WMP.ClientID);
</script> 

Once the ID number is available to a JavaScript program, it can 
be sent back to a Web site either by appending it to the URL 
of a Web bug or storing it in regular Web browser cookie.


Recommendations for Microsoft
-----------------------------

I originally notified Microsoft of this problem in 
March 2001.

One solution to this problem is for Microsoft to remove 
the ClientID property from the WMP ActiveX control.  For 
compatibility with existing JavaScript code, Microsoft may have 
to keep the property around, but always have it return a 
GUID of all zeros for all users.

An even better idea might be to remove the WMP player
ID number altogether and have WMP instead use the standard 
cookie mechanism of Internet Explorer.

Richard M. Smith
http://www.computerbytesman.com
Previous By Date Next
Previous By Thread Next

Current thread: