Supercookies – Data Harvesting Tools With Not-So-Super Implications

Anyone who uses the internet has likely heard of cookies, but few people know what cookies are capable of. Cookies are essential for making the internet easy to use and efficient for everyone, but like everything online, they can potentially be exploited by bad actors. 

‘Supercookie’ is a catch-all term to describe cookies that remain on a computer’s hard drive, even after a session has ended. Supercookies have become a large topic of conversation and speculation in recent years, with experts criticising the amount of data these cookies collect, and how difficult it can be to remove them.  

There are a lot of security measures and legislation in place that restrict the scope of supercookies nowadays, and some are healthy and useful for browsing. Despite this, it is important to know what unsafe supercookies may look like, and the risks they hold to privacy and security. 

What are Cookies? 

Cookies by themselves are harmless and unassuming, as they are simply tiny text files that store information on a site-by-site basis. When your web browser accesses a website, the site’s web server will check for cookies, and generate one if none are available. The cookie is downloaded onto your computer and acts as an ID so the website knows that it is you accessing the site in the future. Your settings and preferences will be saved to the website’s database and linked to your computer’s specific cookie. With this the website will serve you your specific session in the future. 

What are Supercookies? 

With the fundamentals out the way, you will be pleased to learn that a supercookie is not actually a cookie at all. Supercookies are referred to as cookies as they are stored and used in exactly the same way as regular cookies are. Supercookies are stored outside of a browser, on other locations in a computer’s hard drive, thus they are not technically cookies at all. 

Supercookies come in a variety of shapes and sizes, and will perform different functions depending on the type. No matter which type, supercookies are generally much harder to remove than regular cookies by design, and are often used for more sinister reasons.  

Examples of Supercookies 

Flash cookies 

Flash cookies are hidden on a computer by using Adobe’s Flash plugin. Commonly used to store preferences for flash multimedia such as Flash game saves or Flash Player preferences, these cookies can be used for more sinister reasons.  

Zombie cookies 

Zombie cookies are a potentially sinister expansion of super cookie functionality. Zombie cookies will be created in the same way as super cookies, but are stored in various locations on a computer’s hard drive. Should one instance of a zombie cookie be deleted, it can be ‘resurrected’ by the other instances dotted around the computer’s storage, hence the name zombie cookie. 

Implications of the Supercookie 

Flash and zombie cookies are the most frequently heard-of supercookies as their scope is generally not limited to just data collection and privacy issues. The persistence of zombie cookies is worrying as the data that they gather in the background can lead to security issues should the data fall into the wrong hands. While you are not going to have sensitive information stolen by a zombie cookie, people who have access to a zombie cookie’s data will be able to use or sell the online profile it generates. For instance, a zombie cookie would be able to see your browsing habits, allowing advertisers or potential scammers to know which websites you are likely to visit. 

Unlike regular cookies, flash cookies are usually downloaded to your computer without you realising. Most websites nowadays are legally required to ask you to accept and manage your cookie preferences. Flash cookies often bypass this requirement. This presents security concerns as you are often not able to control the privacy restrictions of flash cookies like you would be able to with regular cookies. 

ISPs use their own supercookies that have Unique Identifier Headers (UIDH) so that they can track a particular device on the internet. Internet service providers (ISPs) have also been getting into trouble over what they do with the data they collect from supercookies. In 2016 the Federal Communications Commission (FCC) fined Verizon, an American ISP, $1.35 million as customers were not given the option to opt-out of the tracking performed by the Verizon supercookie. 

Supercookies are not just limited to the examples listed above. What we think of as a supercookie changes as technology advances. Since supercookies are more nebulous than regular cookies, in the future more contemporary methods of tracking and storing user’s data may fit into the description of a supercookie. 

Removing Supercookies 

Supercookies are being cracked down on more and more by browsers and legislation. Many browsers will now advertise advanced privacy features, allowing users more control over persistent cookies and supercookies. For example, earlier in 2021, Firefox blocked supercookies from tracking users across multiple websites. 

Flash cookies can be removed by using the Flasher Settings Manager to remove them. It is worth noting that Adobe Flash Player is no longer supported, and it is recommended that you uninstall Flash player. This will prevent future flash cookies as well. Persisting flash cookies as well as zombie cookies can be removed using software such as CCleaner. 

ISP UIDH supercookies cannot be deleted. An ISP will generally always be able to track you as they store their own data on their private servers. The best way to minimise the data harvested by ISP supercookies is making use of a VPN. 

How Securiwiser can Help 

Securiwiser can help you to secure your organisation. Help keep your network and data safe with daily real-time updates of your organisation’s cyber security posture. We will provide you with a cybersecurity score using our robust scoring system, and provide detailed information on what you can do to improve. 

Click here for a free cybersecurity report.