Watch Out for Hidden Cookies
By now, most of us are aware of the potential privacy risks posed by Web cookies. But according to a new paper published by security consultancy iSec Partners, traditional browser-based cookies aren't the only technology used to store user data anymore. A number of browser plug-ins offer similar capabilities -- and because plug-ins are nonstandard browser components, users are often unaware that these silent conversations are even taking place.
Browser cookies are invaluable for storing things like usernames and shopping cart contents between e-commerce sessions, among many other legitimate uses. But cookies can also give Web sites the ability to track your surfing habits for the purpose of data mining or other, more malicious goals. That's why modern browsers give users fine-grained control over their cookies -- we can view them, delete them, or even block them completely. These controls don't apply to plug-ins, however, which add nonstandard features outside the customary browser UI.
The paper cites Google's Gears as one example of a plug-in that can mimic cookies. While in general it gives Gears high marks for walling off users' data from unwanted accesses, it also cautions that users might not fully understand how to specify what data Gears is allowed to store. Gears always asks you if you permit it to talk to a given Web site, but it will only ask once. If you later decide that you'd like to disable Gears for that site, you have to remove the site from a list via a special control panel. Your browser's normal privacy settings have no effect on Gears' behavior.
The paper was even more critical of Adobe's Flash plug-in, which it says will store persistent data on the local PC without notifying the user. Furthermore, the paper says this data will be available across any and all Web browsers the user might launch, even ignoring the "private modes" (otherwise known as "porn modes") of modern browsers. Adobe publishes a Web page that allows you to view and edit the cookie-like data stored by the Flash plug-in, but there is no way to access this data from within the browser's normal menu hierarchy.
While the risks identified by the iSec paper are relatively low, they do bring up an important point, of which all Web surfers should be aware: Cookies are only the beginning. As Web-based applications become increasingly sophisticated, incorporating an ever-widening array of technologies, don't assume that a couple of checkboxes in your browser's preferences panel will protect you from all of the data-collection methods on today's Web.
Some anti-spyware software will detect and eliminate so-called tracking cookies from your browser, but most do not yet support Gears data or Flash cookies. As always, the best defense is to be aware of the sites you visit, avoid questionable sites (porn and pirated software sites are big culprits), and certainly never install browser plug-ins from untrusted sources.
Neil McAllister is a freelance technology writer based in San Francisco.