Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Richard M. Smith (rmscomputerbytesman.com)
Date: Tue Jan 15 2002 - 08:59:40 CST
There is a significant privacy problem with Internet Explorer
because of a design flaw in the Windows Media Player (WMP). Using
unique ID number of the Windows Media Player belonging
to a Web site visitor. This ID number can then be used just
like a cookie by Web sites to track a user's travels around
However this ID number becomes a SuperCookie because it can be used
by Web sites to bypass all of the new privacy and P3P protections
that Microsoft has added to Internet Explorer 6 (IE6). IE6 ships
today with all Windows XP systems. SuperCookies also work in all
previous versions of Internet Explorer with all older versions of
Some of the other features of SuperCookies include:
- There appears to be no method of blocking
SuperCookies from a Web site except to uninstall
- All Web sites get the same ID number so they
can easily exchange information about a user
much like third-party cookies are used today
by ad networks and Internet marketing companies.
- Even if someone is using a cookie blocker add-in,
SuperCookies will still work.
- If a user has deleted cookies from his or her computer
to stop tracking, a Web site can restore an
old cookie value from this ID number. Once the
cookie value has been restored, new tracking data
can be combined with tracking data that was
previously collected by the Web site.
I've set up a simple demo page that shows the
This demo stills works even if the WMP option "Allow
Internet sites to uniquely identify your player" is
turned off. This option controls when the WMP ID number
is given out to Web sites when downloading streaming audio
programs from getting this number.
When the Windows Media Player is installed on a computer, a
unique ID number in the form of a GUID is assigned to the player.
This ID number is stored in the Windows registry. The ActiveX
Program to retrieve the ID number using the property "ClientID".
easy it is to retrieve the ID number:
ID=WMP WIDTH=1 HEIGHT=1></OBJECT>
be sent back to a Web site either by appending it to the URL
of a Web bug or storing it in regular Web browser cookie.
Recommendations for Microsoft
I originally notified Microsoft of this problem in
One solution to this problem is for Microsoft to remove
the ClientID property from the WMP ActiveX control. For
to keep the property around, but always have it return a
GUID of all zeros for all users.
An even better idea might be to remove the WMP player
ID number altogether and have WMP instead use the standard
cookie mechanism of Internet Explorer.
Richard M. Smith