Wednesday, March 5, 2008

Cookies A Threat To Your Privacy

Do you wonder what is cookie all about and how it threatens your privacy ? Let's take a deeper look.

A cookie is a text string of information that is sent by a website to your web browser and stores it to your hard disk so that the website will remember who you are.


Figure 1.0 shows how web browser request the web page to the server and how cookie is carried in the communication.

Cookie by itself is just a piece of information and not a program code. It is not capable of harming user's computer, and they cannot act as a virus or worms. Cookies are created and used to allow server to store and retrieve state information. However, this small text file is rich in information, which may include your IP address, user name, email address, password, preferred language, shopping cart items and any strings that can be linked to your identity.

==========
Privacy Issue
==========
There's a privacy issue if the cookie is stored in users' computer without his/her knowledge or consent and this also includes affiliates or third-party cookies.
Figure 2.0 shows how a third-party ad server tracks users' browsing habits and preferences to deliver a personalize advertisements.

This privacy issue has been addressed through legislation by different countries such as Europe and US. Their position is to allow cookies provided that there is a privacy policy informing users that the website is serving cookies, how it is being served, how it is being used and how people can refuse or accept it.

Here's a good example of privacy policy statement:

http://www.bbc.co.uk/privacy/
http://www.doleta.gov/privacy.cfm

Also, this privacy issue has been discussed in RFC2965 - HTTP State Management Mechanism.

6. PRIVACY

Informed consent should guide the design of systems that use cookies. A user should be able to find out how a web site plans to use information in a cookies and should be able to choose whether or not those policies are acceptable. Both the user agent and the origin server mus assist informed consent.

So, what does it mean ? This means, websites that serves cookies without informed consent violates users' privacy.

==============
Security & Privacy
==============

CLEAR TEXT

The cookie header and content are readable or in clear text format. Any sensitive or identifiable information is vulnerable and exposed to threats whether it is a malware, packet sniffers, cookie hijackers or another user of that pc.

Check your cookies and see how much personal information are stored.


Here's how to check it :

Safari Users
- Go to Preferences and click Show Cookies.

Mozilla Firefox Users
- Go to Tools, Option and Show Cookies.

IE Users
- Go to Tools, Internet Options, General tab
- In Browsing History click Settings, View Files.

PERSISTENT

Persistent cookies does not expire soon enough even after the user ended the session. Thus, the website can build information or profile your browsing activity and preferences over time.


COOKIE POISONING

Cookie poisoning simply means performing unauthorized modification of the values stored inside the cookie. This can be easily done using tools and information available from the internet. Most websites stores persistent, non-secure cookies while some are secured but still there are web site that employs poor encryption that could be easily decoded.

A good example is performing tampering attack to a shopping cart to change the total shopping value to a huge discount.


THREATS

Worms - Mass-mailing worms such as NetSky and Lohack is capable to search and harvest email address to all .TXT files and this includes users' cookies.

Trojan - Banking related trojans are usually capable of stealing users' cookies.

Backdoor - There are backdoor that steals cookies associated to ebay, paypal and banks.

Exploit - This is usually employed using cross site scripting exploit, where a malicious user injects a code to a legitimate vulnerable website. So, all visitors of that website will get redirected where a malicious cookie stealer script awaits.

A malicious user could use the stolen cookies to impersonate or steal user's identity online.

Phishers - URL links that are spammed through emails, blogs, messengers and forums may also link to a malicious cookie stealer sites.

=======
Summary
=======

Cookie is just a small piece of information but if it contains your identity, it is something that you should care about. Stealing information usually happens in background, it means without your knowledge. Cookies are harmless by itself, but the threats that surrounds it are out there in-the-wild. Malicious and exploited sites are everywhere and your cookies is always at risk.

For safety, everytime you input information online whether you are checking your email, doing net banking or shopping, you should always check your cookies and delete them together with your browsing history. There are available tools online that can help you perform this task as well.

Get informed and stay safe!