The Mykonos Web Application Security BlogStats

We’ve been doing a lot of research on how to better detect threats to Web sites, and how to re-identify and track them over time. One key consideration is: How far can you push the standard ‘cookie’ mechanism as a way to track and manage users with a demonstrable history of abuse and malicious behavior?

So when Samy Kamkar, author of the infamous MySpace worm, recently released a new open source project called ‘evercookie’, it caught our attention. The goal of the project is to create a persistent tracking cookie that is extremely difficult to remove. Unlike traditional cookies, which can be cleared easily using standard browser privacy controls, the evercookie is designed to evade most purging tactics. Once tagged by the evercookie script, you must go through a long series of difficult steps to eliminate all traces of the unique identifier. In some cases, this requires additional software that average users don’t typically have. Missing even a single step will cause the cookie data to repeatedly propagate throughout the browser environment, forcing you to restart the purging process.

Sounds cool, so we checked it out. We found that while evercookie is still in an early stage and there’s definitely room for improvement, there are some pretty big problems with this overall approach.

The first is footprint. evercookie has a relatively large footprint on the client, making it fairly easy to detect. Some examples:

• The “evercookie” token is ubiquitous in the JavaScript source and filenames.
• The data points maintained by lengthy expiration dates, such as cookies and cache, use hard-coded values. By simply checking to see if a website has issued a cookie that expires on “Tue, 31 Dec 2030 00:00:00 UTC”, you can confirm the presence of an unedited copy of the evercookie code.
• You could create a more extensive detection mechanism by testing a collection of JavaScript tokens that even experienced developers are unlikely to edit, including “localStorage”, “INSERT OR REPLACE”, “silverlight”, and “#userData”, to name a few.

A developer integrating evercookie code could reduce the footprint by adding a layer of strong and thorough obfuscation, but you can’t get rid of it completely.

The second problem is that evercookie exposes a site to new attack vectors. For example, the use of the “window.name” JavaScript variable enables cross-domain data leakage. This could be a serious issue depending on how the data in the cookie is actually being used. The general problem arises because any 3rd party, unrelated website can obtain the cookie value and impersonate the visiting user. The added trust given to the evercookie, because it is so difficult to manipulate, may further exacerbate this issue.

Despite its shortcomings, evercookie has kicked off another round of debate about user privacy. Most browsers already support private browsing mode, which attempts to sandbox the all browsing activity and prevent sites from using cookies for user tracking. Unfortunately, not everything can be easily and effectively sandboxed, and evercookie takes full advantage of that fact (Samy admits that he has yet to conquer Safari’s private browsing mode, but give him time). In response, Anonymizer has announced a new Firefox plugin called “Nevercookie” (touché!). When used in private browsing mode, Anonymizer says Nevercookie will effectively purge an evercookie…

And the arms race continues. Browser and plugin vendors will continue to add protective measures that help users avoid tracking, and developers will continue to create code and tactics for evading those measures. It’s also important to note that Samy hasn’t invented anything new here – he’s just researched what’s possible with today’s Web browsers. And not every security researcher is as forthcoming as he is. It’s quite conceivable that Web applications in the wild are already using many similar tracking techniques.

The bottom line: No one can be certain whether their activities are actually being tracked and correlated across many visits to a site, or possibly to multiple sites. Technically, user tracking on the Web is a reality, and it’s not going away. The debate, accordingly, should shift to when and under which circumstances user tracking is appropriate.