How can cookies be misused

Websites use HTTP cookies to streamline your web experiences. Making cookies an important a part of the internet experience. While this is mostly for your benefit, web developers get a lot out of this set-up as well. In turn, websites can personalize while saving money on server maintenance and storage costs. With a few variations, cookies in the cyber world come in two types: session and persistent. Session cookies are used only while navigating a website.

They are stored in random access memory and are never written to the hard drive. When the session ends, session cookies are automatically deleted. They also help the "back" button or third-party anonymizer plugins work. These plugins are designed for specific browsers to work and help maintain user privacy. Persistent cookies remain on a computer indefinitely, although many include an expiration date and are automatically removed when that date is reached.

Since the data in cookies doesn't change, cookies themselves aren't harmful. They can't infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions.

The danger lies in their ability to track individuals' browsing histories. Some cookies may pack more of a threat than others depending on where they come from. First-party cookies are directly created by the website you are using. These are generally safer, as long as you are browsing reputable websites or ones that have not been compromised.

Third-party cookies are more troubling. They are generated by websites that are different from the web pages users are currently surfing, usually because they're linked to ads on that page. Visiting a site with 10 ads may generate 10 cookies, even if users never click on those ads. Third-party cookies let advertisers or analytics companies track an individual's browsing history across the web on any sites that contain their ads. Consequently, the advertiser could determine that a user first searched for running apparel at a specific outdoor store before checking a particular sporting goods site and then a certain online sportswear boutique.

Zombie cookies are from a third-party and permanently installed on users' computers, even when they opt not to install cookies. They also reappear after they've been deleted. When zombie cookies first appeared, they were created from data stored in the Adobe Flash storage bin. Like other third-party cookies, zombie cookies can be used by web analytics companies to track unique individuals' browsing histories.

In order to carry out a cross-site scripting exploit , an attacker has to place the exploit in a cookie. Then the exploit vector will fetch the payload from the cookie and the exploitation is carried out. This type of attack will become difficult if the cookie has already been set; in this case, the attacker has to control the first cookie in the cookie string and only then can the attack be carried out.

Cookie tossing is one of the major types of attack on cookies and can be explained as follows. The next time the user browses the same site, the cookie is sent to the web server. So if an attacker crafts a subdomain cookie and sends it along with a legitimate cookie, the web server accepts both cookies. There is no rule in the browser to send the domain cookie first and hence it may choose the subdomain cookie and send it first.

And if the malicious subdomain cookie is the first one received by the web server, it will take it as a valid one, and that cookie value will provide the session for the user. The web server cannot validate which is the legitimate cookie, because the cookie attributes, such as domain path secure and HttpOnly attributes, are not sent to it.

In this type of attack, a parent domain cookie can be replaced by subdomain cookie by using a Jscript in the subdomain. It simply stores the cookies that are given to it. The replaced subdomain cookies will not be of HttpOnly or secure type. Now, after storing the subdomain cookie, an attacker can change the expiry date of the cookie and the entire cookie will be useless.

Now the attacker can craft a new malicious cookie and forward it to the web server. And there is no method; a web server can detect whether the cookie is in the secure or HttpOnly category. Thus an attack can be carried out by fabricated cookies. Cookies can also be viewed from the DOS command line or by using Notepad, but the cookie is very likely to become corrupted if not saved in DOS text format.

It is difficult to decipher the contents of a cookie and it is safer not to edit the cookie. Also, a cookie can be deleted without any problem. Almost all web browsers provide options to delete the cookies and it can also be done manually by navigating to the cookie folder. When cookies are deleted, the user preferences and session information are deleted and the user appears as new to the web server.

Criticism from privacy activists forced YouTube to change the privacy rules and the site now boasts that they are not tracking visitors who are not playing videos. Cookies were accompanied with a lot of misconceptions and delusions from their debut on the Internet and those still exist.

Cookies were known as tracking tools only for the purpose of advertising. They were also thought to be used for spamming purpose and for junk emails and pop-ups. They can share data across domains without our knowledge or permission. Cookie Preferences can be ignord.

Adobe Flash Cookies can be used as a Trojan to reinstate removed cookies that the user has flushed. New York Times highlighted concerns. In the United States there have been at least five class-action lawsuits against media companies.

In certain countries, it is illegal to track users without their knowledge and consent. I am working on pulling together a list of tools that will help you control your cookies. Please come back ina few weeks to see what I have found. Antivirus software that also removes Super Cookies Websites you can visit to help control the use of Super Cookies e.

CCleaner for PC and Flush. Internet Cookies that rise from the dead. Zombie cookies come back to life after you kill or delete them. UC Berkley first identified the Zombie Cookie when they noticed that after deleting cookies the cookies kept coming back over and over again.

No amount of deleting them would kill them. Many people have absolutely no idea what a zombie cookie is, or that they even exist. Until a massive lawsuit in , which targeted some of the biggest names on the web. What you think happens: You visit a website, They plant browser Cookies. You visit the website again, and they retrieve those cookies. You block or delete regular cookies. You visit the website again, they check for regular cookies — No luck? Zombie Cookies are there. Marketing Research or Tracking personal browsing habits.

Different types of browser can store and share your information. Deleting cookies would not prevent websites from controlling your interaction with them. This means means almost everyone is exposed to Zombie Cookies.

Some people feel that if you delete or block a cookie, it should stay deleted. Regular deletion of cookies will not effect Zombie Cookies. Some people consider sites that use them to be breaching their privacy. Clearspring and affiliated sites owned by Walt Disney Internet Group, Warner Bros and others had a huge lawsuit filed against them.

Adobe Flash cookies were the focus. Before: You had to uninstall Adobe Flash, and re-install it. If you use Firefox you can get rid of Flash cookies — including zombie cookies- by using theBetterPrivacy add-on. This is an example of a VERY persistent cookie file.

A cross between the Super and Zombie cookie types. Ad agencies, Big Brands and organizations everywhere need to prepare for what is being earmarked as the greatest overhaul to privacy regulation in years according to PageFair's Dr Jonny Ryan. New European regulations will come into force around May They will impact how individuals data can be distributed and shared.

Since when cookies were first used to track users around the internet there has been an assumption that trading users' personal data was acceptable. This mindset will … [Read More A privacy lawsuit filed by parents was overturned when the 3rd U. The internet cookies collect information which was then used to produce focused adverts.

The Federal Judges confirmed that the The tech giants had the right to track online activity of children who visited their websites. Jay … [Read More There has been suggestions mounting that travel agencies and airline websites have been using internet cookies to control the price of airfares. This may sound innocent as many web sites use internet cookies to monitor and control prices. What if they were increasing the prices at the point where they felt the customer was about to commit to a purchase?

Internet Cookies are confusing! Confused about Cookies? Let me Explain: I will tell you what these strange little internet cookies are and present you with some stories about where they got their name. Ever heard of a Zombie Cookie. It comes back from the dead. I will tell you how later! So what are Cookies? So what are they? Why does my Browser create Cookies? What do websites do with this information? What do they do with them? Should I worry about Cookies on my device? If you would like to read more about infosec and website security, sign up to receive email notifications from our blog.

His professional experience covers nine years of empowering businesses to identify the right solution to meet unique needs and place them in a position to succeed. Connect with him on Twitter , Instagram , and LinkedIn. Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.

Skip to primary navigation Skip to content Skip to primary sidebar Skip to footer Cookies! Oatmeal raisin are one of my particular favorite flavors. You might be asking: Why do websites use cookies anyway? Is it Bad to Delete Cookies? If in the wrong hands, sure!