'Super cookies' can track you even in private browsing mode, researcher says

Think you're safe from sneaky advertising companies tracking you when you're in private or incognito mode? You might not be.

If there's one thing websites love to do it's track their users. Now, it looks like some browsers can even be tracked when they're in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called "HSTS Super Cookies." Greenhalgh shows how a crafty website could still track users online even if they've enabled a privacy-cloaking setting.

The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn't intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.

Say, for example, John types SecureSite.com into his browser with HSTS enabled. SecureSite's servers can then reply to John's browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John's browser will use HTTPS by default.

The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you're in private or normal mode--meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.

When in private browsing or incognito mode (sometimes called as "porn mode") your browser won't store data such as cookies and browsing history once the private browsing session has ended--unless it's tricked into doing so by a Super Cookie.

The story behind the story: Although Greenhalgh's blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert "RSnake" Hansen raised the issue on his blog ha.ckers.org in 2010.

Protecting yourself

Although this issue has been known for some time it's not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.

Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.

HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.

As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It's because IE doesn't support HSTS at all.

[via Ars Technica]

Join the CSO newsletter!

Error: Please check your email address.

Tags FirefoxsecurityRadicalResearchsafariInternet Explorerchromeprivacy

More about AppleTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place