Cookies & Web Bugs: Links & News  

Cookie Exploit  www.cookiecentral.com/bug/index.shtml

Dec 14, 1998: Paraphrased: "A bug in the current implementation of the cookie protocol allows cookies to override the current domain restrictions enforced on the sharing of cookies. The exploit allows a site to set cookies that can be shared between unrelated domains. To our knowledge, all the mainstream browsers are vulnerable to this exploit. Internet Explorer and Netscape are all known to be vulnerable on the Windows, Mac and Linux platforms."

Users of older IE browsers and of any version of Netscape are vulnerable. A post to the Proxomitron mailing list on Aug 03, 2000 states: "I tried the exploit with a couple of web browsers. Internet Explorer 5.0 and Opera 3.62 don't have this problem while the exploit works in Netscape 4.7 and Mozilla M16 (!), even though it was discovered over a year ago."

Email Cookie Leak Security Hole  www.tiac.net/users/smiths/privacy/cookleak.htm

Nov 30, 1999: Richard M. Smith describes how browser cookies can be matched to Email addresses, associating an Email address with an "anonymous" profile that has been created for a person as they surf the Web.

How Web Servers' Cookies Threaten Your Privacy  www.junkbusters.com/ht/en/cookies.html

Interhack: DoubleClick Opt Out Protocol Failure = Opt In  www.interhack.net/pubs/dc-proto-fail/

May 15, 2000: "...describes an implementation flaw in DoubleClick's handling of cookies sent from the browser [...] that could result in the consumer being tracked without any knowledge of this activity, contrary to the consumers explicit action of opting out."

Interhack: Opting In, By Accident  www.interhack.net/pubs/netscape-doubleclick/

May 15, 2000: "It has been observed that whenever you choose Edit -> Preferences -> Advanced and select "Do not accept or send cookies," Communicator deletes the cookie store, including the opt out cookies. (Note that on the Windows platforms, versions 4.7x label this button "Disable Cookies.") [...] In all likelihood all versions of Communicator which give you the cookie managment options have this defect."

Microsoft Word Documents that "Phone Home" www.privacyfoundation.org

Aug 30, 2000: Richard M. Smith shows how Web Bugs and cookies can be used in Word, Excel 2000 and PowerPoint 2000 documents. " A "Web bug" could allow an author to track where a document is being read and how often. In addition, the author can watch how a "bugged" document is passed from one person to another or from one organization to another." Includes a demo. (link courtesy of "El Gato Grande")

MSN Cookie Data Crosses Domains And MSN GUIDs Are Accessible to Anyone www.pc-help.org/privacy/ms_guid.htm

Updated Sept 03, 2000: By pchelp, a GRC newsgroup contributor: "An MSN server and an affiliated website use clever tricks to create and to share between them, a unique numeric identifier (GUID) that is stored on users' machines; sometimes even without the use of cookies. The MSN server readily shares those GUIDs with any web server. The result, perhaps inadvertent, is that anyone with a website can contrive to obtain the GUIDs that are created by the MSN system and carried in users' cookies."

Web Bug FAQ  www.tiac.net/users/smiths/privacy/wbfaq.htm and www.privacyfoundation.org/education/docbug.html

Both by Richard M. Smith, the first being Version 1.0 on his Advanced Programming Website, the second being on the Privacy Foundation website. Be sure to check out his Web Bug Search Page too: www.tiac.net/users/smiths/privacy/wbfind.htm.

^ Top

Internet Explorer  

Utilities are available for users who want to manage IE cookies, caches, history files easily. See the Browser & Cookie Filters and Browser, Cache & Cookie Utilities sections of the Links page.

In Internet Explorer, cookies are typically found in the C:\Windows\Cookies folder (Win 9x, default config). However, they are tied to information hidden in the cookies index.dat file so cleaning isn't simply a matter of removing them from that folder. Other .dat files exist for Temporary Internet Files and History, so discussion of cookie cleaning in IE usually involves discussion of all three folders. For simplicity's sake and particularly for users not comfortable with or unable to use native DOS, I recommend using one of the many utilities available to manage cookies and clean the various files and folders in IE (see links above).

Since I use (a pre-Adaptec version of) Go Back www.adaptec.com/products/overview/goback.html, using native DOS to manipulate Windows files can be troublesome, ineffective, and can require me to wipe out my Go Back history. I'm not willing to go through the hassles when easy alternatives are available (Powerquest Second Chance www.powerquest.com/secondchance/index.html users may also be in this situation). I personally use Proxomitron, Spider, and IE Zones to manage and clean cookies, cache and history files in IE. And of course, the hosts file prevents getting many unwanted cookies to begin with.

GRC newsgroup users have often shared their IE tips and tricks and some are included below. As it's impossible to cover all possible combinations of browser versions and operating systems, I've chosen those that I feel will apply to the majority of users. If you'd like to add something, please email me: [email protected]. Thanks also to El Gato Grande and RoqueWave for their support and assistance with this section.

The "Read-Only" Cookies Trick

For IE, this trick involves marking the index.dat file in the c:\windows\cookies folder "read only" or deleting the index.dat file from c:\windows\cookies folder and then adding a subfolder named Index.dat. However, this doesn't work for everyone and with IE 5.5 it can cause problems, including an inability to download. Too many hassles!

Courtesy of "Gst": "I click on the file and the download window pops up. The info for "estimated time left," "download to," and "transfer rate" is missing. The download progress bar stays blank. After about 2-3 min. I receive the error message:"

"Internet Explorer cannot download file xxxxx...... Internet Explorer was unable to open this Internet site. The requested site is either unavailable or cannot be found. Please try again later."

Courtesy of "Rick": (paraphrased) "A while back there was a thread in these newsgroups regarding placing a folder in your cookies folder (& elsewhere) & calling it Index.dat. Have you done that by any chance? I have seen that cause the exact behaviour you are describing. Delete the subfolder & allow the file to be created & that fixes the problem.

Courtesy of "Tracer": "If you use the cookies protection style of the read only attributes or making a folder of index.dat then you will not be able to download. That is one of the problems with that basic cookie protection setup. So everytime you want to D/L, you've got to remove the protection scheme. But remember that you have to DOS delete the file again and then re-initialize the scheme if you want it back."

Courtesy of "John B.": "Internet Explorer doesn't use a Cookies.Txt file like Netscape. Instead it writes cookies as individual files in the Windows/Cookies directory, and also to an Index.Dat file in the same directory. You've probably read the posts advising you to empty this directory and create an Index.Dat folder in the same directory (and also in your Temp directory, if it isn't on a RAMdisk like mine) to prevent its recreation. Unfortunately this is an all-or-nothing solution; you can't have *any* cookies in IE if you do this. (Making Netscape's Cookies.Txt file read-only lets you keep the cookies that are already in it.)"

Courtesy of "Bruce S.": "IE5.5: Deleted all cookies. Emptied the dat file, made the dat file and the folder RO. We didn't hide it. Not much point. Ran IE and clicked around a bit. Closed IE. Checked the cookie folder and found a fresh batch of cookies. The folder and the dat file had their RO changed back to R/W."

Courtesy of "Flip": "I have W98 SE, IE 5.01 and setting the attribute +r on the index.dat file in cookies folder didn't work."

Cookies, Zones, and Cache Management (courtesy of "Tamer A.")

The cookie solution for IE 5.5 (and probably 5.1, but I'm not sure) is simple: Disable all cookies (or at least non-per-session ones) in the Internet Zone (Tools | Internet Options | Security - highlight Internet - click Custom Level). Sites which the user wants to get cookies from can then be added to the "Trusted Sites Zone" (wildcards allowed, as in *.microsoft.com), making sure of course that security settings for the trusted sites zone allow cookies.

If the person is on a highspeed connection (or is willing to sacrifice some speed on a dialup connection) I recommend clearing the IE cache automatically after each browsing session (The option is under Tools | Internet Options | Advanced, in the 'security' paragraph). This helps eliminate all those pesky dated gifs which can allow tracking across sessions.

Depending on browsing habits and convenience, other settings in Internet Zone can be tweaked (allowing scripts, Java, ActiveX, etc.). It's also important to disable everything in the Restricted Zone and tell OE (if that's used) to use restricted zone settings when reading HTML mail (In OE, it's under Tools | Options | Security top of the tab).

A note on sources: I first read about using the Zones in IE in a Winmag.com column. They suggested switching off cookies in Restricted Sites, and adding intrusive sites to that list as time goes on. I thought this was unnecessarily inverted (an opt out strategy); sites should not be allowed to deposit cookies by default (Internet Zone) unless the user allows them to by adding them to the Trusted Sites (an opt in strategy).

Of course, these are not *original* sources; they're just where I got my suggestions :-)

Spider

I've used Spider for a few years now to clean IE Temporary Internet Files, Cookies, History dat files. Many users report that it will read only, not clean, on IE 5.5. Since I've also seen reports saying it works fine with IE 5.5, perhaps the issue is whether it's being used under Win 9x or Win 2k. Users able to "read only" still find it useful to check up on their other cleaning methods. It's small and fast and if you've never seen what info IE secretly keeps in hidden URL files, you'll be in for an eye-opening experience.

In Spider, first set the "Options," hit the magnifying glass icon, and then the ambulance icon. Cleaning will require a reboot. After reboot, I usually run it again to check that all files have been cleaned. Occasionally it misses a few but this wasn't always the case and I've no idea why it started happening. I just run it again and that takes care of it.

Users will notice that the Channel URLs aren't removed, even though the Channels have been removed from IE Favorites. Here's the solution, courtesy of Rick C. (works perfectly): "To remove Channel URLs and keep them from being rewritten to the index.dat, go to the C:\Windows\Web folder and delete all of the .cdf files in there. Leave the stuff in your recycle bin for a bit until you are satisfied."

DOS Solutions (courtesy of "Rick C.")

Errors can cause major problems. Read carefully & proceed with caution at your own risk!

So that the tempor~1 does not build up and take a minute or more to delete in DOS:

In Internet Options, under the advanced tab, check off the option to delete saved pages when browser is closed, thus keeping that folder trim allowing an expedient deletion.

1. Examples assume you do not have user profiles (paths would change to accomodate).

2. Each "cookies line" assumes you want the Cookies folder with all cookies & the index.dat deleted. If you need to keep certain cookies:

a. Start with a freshly rebuilt cookies folder and index.dat file (16kb).

b. Then access your sites that you need with cookies turned on, at the same time putting each of these particular sites into your Internet Options Trusted Zone.

c. Immediately upon exiting the last site, turn your cookies off, which will isolate your cookies folder and its index.dat file.

At this point you can leave out any of the cookie lines in the Examples below (which is what I do), and you still will have cookie access to your sites without any other additional data being added into the isolated index.dat and cookies in that folder.

3. I chose not to use /y in Examples 3 & 4 for safety, but you can of course.

_ _ _ _ _ _ _ _ _ _ _ _ _ _

Example 1 (the best and easiest way in the long run)

Enter these lines in your autoexec.bat with or without the cookies line depending on your desires (I personally leave it out and have my cookies turned off except for those few in my Trusted Zone that have a cookie that I want to use for my convenience). To enter the lines, go to the Start button, up to Run and type in sysedit. These entries will automatically clear these folders at every boot up.

cd windows
deltree /y Tempor~1\*.*
deltree /y cookies\*.*
deltree /y History\*.*

_ _ _ _ _ _ _ _ _ _ _ _ _ _

Example 2 (an alternative manual way to do whenever you want)

Make a .bat file using notepad and copy these lines below and save it as Renew.bat ...and place it in your Windows folder. Then anytime from your Start > Shutdown, choose Restart in the MS-DOS mode, and when you are at the C:\Windows prompt then just type in: renew ...and it's done automatically.

cd windows
deltree /y tempor~1\*.*
deltree /y cookies\*.*
deltree /y history\*.*
exit

_ _ _ _ _ _ _ _ _ _ _ _ _ _

Example 3 (a slower but good, more manual way to do it)

From Start > Shutdown, choose Restart in the MS-DOS mode, and type in these lines at the C:\Windows prompt. Confirm your typing before pressing Enter. When asked to confirm, if correct, press y.

deltree tempor~1\*.*  <Enter>
deltree cookies\*.*  <Enter>
deltree history\*.*  <Enter>

Restart computer with Ctrl-Alt-Delete.

_ _ _ _ _ _ _ _ _ _ _ _ _ _

Example 4 (another alternative)

Select to Restart your computer, and while it is rebooting "hold down the Control key" or "repetitively press F8" -(whichever one works) ...and as the computer is re-starting you'll see it stop at a menu. Then select "Command Prompt Only" (mine is #5) ...and then at the C:\ prompt type these commands below. Confirm your typing before pressing Enter. When asked to confirm, if correct, press y.

cd \windows  <Enter>
deltree tempor~1\*.*  <Enter>
deltree cookies\*.*  <Enter>
deltree history \*.*  <Enter>

Restart computer with Ctrl-Alt-Delete.
_ _ _ _ _ _ _ _ _ _ _ _ _ _
 

^ Top

Netscape  

Utilities are available for users who want to manage Netscape cookies, caches, history files easily. See the Browser & Cookie Filters and Browser, Cache & Cookie Utilities sections of the Links page.

Netscape keeps cookies in a file named cookies.txt. It can be found in different locations, depending on where Netscape is installed and whether or not it's configured for multiple users. Use "find" in Windows to locate all instances of cookies.txt and then determine which is being used (only one may exist).

Despite the dire warning encountered when opening cookies.txt with a text editor ("This is a generated file! Do not edit."), it can be edited without causing any problems. Keep the first 3 remarked Netscape-generated lines (preceded by a #) and remove whatever you want following them.

Disable or Do Not Accept Or Send Cookies Setting

Refer to Interhack: Opting In, By Accident article linked in the "Links & News" section above. This Netscape behavior (changing from accepting to not accepting cookies) will cause the deletion of any cookies you might want to keep. To keep this from happening, ensure the cookies.txt file contains only cookies you want to keep (if any) and then make it "read-only."

Better yet, use a Cookie Manager. If unable to identify a cookie by looking at it in the cookies.txt file, using Cookie Viewer might help (see Browser, Cache & Cookie Utilities section of the Links page).

The "Read-Only" Cookies Trick

With Netscape set to accept all cookies and the cookies.txt file made "read-only" (right-click and check the Read-Only box on the Properties tab), no cookies will be written to the cookies.txt file but sites requiring cookies will function as if they are being accepted. A variation of this is to replace the cookies.txt file with a directory named cookies.txt (directory does not have to be marked "read-only").

Caution: Cookies that can't be saved to the hard drive are kept in memory, allowing tracking over at least one session and possibly more. This is an excellent reason for using a Cookie Manager rather than this method. Occasionally clearing Netscape's memory cache should clear cookies from memory (Edit | Preferences | Advanced | Cache | Clear Memory Cache) but according to Pat C's post (below), it doesn't. Memory can be cleared by by closing Messenger and all windows in Netscape (Control+Q) and then re-opening it.

The Minus Side Of "Read-Only": [The test referenced here is at privacy.net/Traced] From "Pat C": "I took a bit of time doing the test, pausing to clear memory & disk cache from time to time, and it still tracked every one of those fictitious sites that I 'visited' and then linked my 'registration' to the cookie ID."

"So even though the cookie was only in memory & wouldn't exist once Netscape was closed & relaunched, quite a reasonable profile could be built up in a long browsing session if ads weren't blocked? [...] Interestingly, that cookie persisted even though I closed Navigator and then revisited some ten minutes later - it didn't vanish until I closed Messenger too. Could well explain why I get regular emails from the likes of Real and ZDNet when I've never registered anything with them."

The Plus Side Of "Read-Only": From "PC Help": "...with a read-only cookies.txt file (or folder), and with cookies enabled, you get the best of both worlds. Sites requiring cookies let you in. Shopping carts work. And then the cookies kindly vanish when you quit Netscape. So they're back to Square One trying to ID you next time you visit, and none the wiser."

Cookie Batch File From pchelp: "cookout.bat"  www.pc-help.org/files/cookout.bat

From pchelp: "Some time back, I wrote a batch script to move my Netscape cookies into a separate file, and so maintain a record of cookies and also remove them to foil tracking. Personally, I find no need whatsoever to preserve any of my cookies for actual use by the browser; yet I like to see what's been planted on my system. So this solution is ideal. I can read cookout.txt anytime and see what nefarious tags were pinned upon me."

"For quite some time now, I have had cookies disabled by the trick of creating a folder named cookies.txt in place of the file. But lately I decided to resurrect the old idea and start collecting cookies again. I rewote the old batch file and gave it a fine new name: cookout.bat. Here it is... note that I'm using the ancient Netscape Navigator version 3.04. Users of more current versions will need to change directory names accordingly. Note also this doesn't work with IE, only Netscape."

^ Top

Opera  

The "Read-Only" Trick

From "tranquilo": "This same [Netscape] tip also works with Opera, versions 3.62 and 4 (I haven't tried any earlier versions). Find the file named cookies.dat or cookies4.dat. Delete it. Make a folder named cookies.dat or cookies4.dat. Now you can accept cookies without them being written to disk. To clear all cookies, close Opera, and restart Opera."

Updated: Sept 27-00

^ Top