Super Cookies Can Track Even In Incognito
October 12, 2016
Google chairman Eric Schmidt gave some rather erroneous advice when he was asked about Google’s potential to track and pass information to intelligence agencies during an interview at the Cato Institute in Washington, D.C. “If you’re concerned, for whatever reason, you do not wish to be tracked by federal and state authorities, my strong recommendation is to use Google Chrome’s incognito mode, and that’s what people do,” he replied.
Aside from the flaw that ISPs, websites, and governments tapping the internet can still see the user’s traffic when in incognito mode, a British researcher has shown how “super cookies’ could be used to place permanent trackers of PCs, smartphones, and tablets.
How Super Cookies work
These super cookies can be created, as tested by Sam Greenhalgh, by abusing the HTTP Strict Transport Security (HSTS) security feature, which websites use to inform browsers to enforce encryption and switch to the HTTPS version of their website. During the switch from HTTP to HTTPS, a website owner can create the super cookies by forcing the computer to create unique numbers that would identify the users. Once the number is created, it can be shared and used to track the user across other websites.
These super cookies aren’t stopped during incognito mode, and worst, even Apple’s Safari, Mozilla FireFox, and Opera are also prone to this method. Although a counter-measure can be placed by instantly deleting the data related to HSTS, it runs the risk of degrading security protections.
To read more on this, click here.