A security flaw means that users of almost every modern web browser can be surreptitiously tracked online without their knowledge, Ars Technica reports, even when they make use of “private browsing.”
Apple users are particularly vulnerable, as their devices do not have a function that lets users delete super cookies from their browsers.
Most websites place what’s called a “cookie” on visitors’ computers, which is used to track them and record their preferences. It’s how websites can remember your password, for example. Like your web browsing history, they’re easy to delete. If you use your browser’s “private browsing” mode they’re never saved in the first place — and advertisers can’t track you, and other computer users can’t go back and see what you looked at.
However, a flaw in a modern web security feature called “HTTP Strict Transport Security” (HSTS) allows websites to plant “super cookies” that can be used to track web users’ browsing habits even when private browsing is enabled.
Here’s how it works.
Security researcher Sam Greenhalgh writes that HSTS “allows a website to indicate that it should aways be accessed using a secure connection that encrypts your communication with the site.” This “flag” is then saved by your web browser, ensuring that any future visits to the website are secure. But this can also be abused, using this feature to store a unique number that can be used to track your web browser.
And because HSTS carries over into private browsing, it means the “super cookie” can be used to track you whether you’re attempting to cover your steps or not.
Greenhalgh says that Apple’s Safari web browser is especially vulnerable to the exploit. While clearing cookies on Mozilla’s Firefox, Google Chrome or Opera also erases HSTS flags, deleting the super cookies, there’s no way to do so on Safari on iOS devices.
This means that if you’ve had super cookies placed on your iPad or iPhone, there’s effectively no way to get rid of them short of reformatting the entire machine.
“A notable exception is Internet Explorer,” the researcher adds, because it has no support for HSTS — “although it is in development at the time of writing.”
Greenhalgh told Forbes that he doubts major companies are making use of super cookies to track users. “I don’t think most big name online retailers would risk losing the trust of their customer base by employing nefarious tracking mechanisms like this,” he said. But that’s not to say that more nefarious websites won’t leap at the chance to track internet users’ browsing habits.
Developers for Google Chrome have been in contact with Greenhalgh since he published, and are apparently taking steps to “mitigate the effects of the problem.” However, an online FAQ says they believe that “defeating such fingerprinting is likely not practical without fundamental changes to the how the Web works.
Firefox has since developed a solution to the issue, by no longer carrying HSTS over to private windows. It is, however, a trade-off — favouring “privacy over security,” Greenhalgh writes. If you’re trying to buy something from a web site using a private Firefox tab and you load an unencrypted version of the page, then it won’t correct you — meaning your credit card info won’t be encrypted once you send it.