Zombie cookies aren’t dead yet! Over a year ago, lawsuits were filed against Disney, Warner Brothers, MySpace, ABC, and NBC Universal for using persistent tracking cookies able to defeat most attempts to disable, block, or purge them. These zombie cookies were originally spawned using Adobe Flash technology, but Adobe promised to update their software to remedy the situation. Now, Stanford researcher Jonathan Mayer catches Microsoft using zombie cookies to track users visiting MSN, the Microsoft store, or Microsoft.com itself. This time, both a cache-based cookie and a more advanced “supercookie” are used to survive users’ attempts to block or delete them. Microsoft implements both methods by use of a script called wlHelper.js, which they store along with a cookie in the browser cache. If a user deletes the cookie but doesn’t empty the browser cache, the script recreates the deleted cookie. The second approach, termed ETags, saves a bogus version number in the browser cache. In the event the cookie is erased, wlHelper.js retrieves it from the bogus version number.
The adoption of HTML5 provides fertile ground for breeding zombie cookies too. The HTML5 standard includes a local storage feature, capable of misuse as a new method of creating a tracking cookie untouched by Firefox’s private browsing feature, Internet Explorer’s InPrivate browsing, or Chrome’s Incognito browsing mode.
Right now, the only sure way to protect oneself from this is by running a browser plug-in, such as noscript, that blocks both Flash and JavaScript from running except on websites you grant permission. Because noscript is for Mozilla-based browsers only, your results may vary on other platforms. (This may serve as yet another reason WebOS owners benefit if their operating system keeps a zombie-like resilience!)
As horror movie fans already know from watching Dawn of the Dead, the seeming initial victory over the zombies didn’t last. I expect a sequel of lawsuits.
Comments are closed.