OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jelmer (jelmer_at_kuperus.xs4all.nl)
Date: Sat Aug 03 2002 - 20:43:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Bypassing cookie restrictions in IE 5+6

    Description

    A cookie is a small bit of information that a web site stores on your
    computer. When you revisit the web site, your browser sends the information
    back to the site. Usually a cookie is designed to remember and tell a web
    site some useful information about you. For example, an online bookstore
    might use a cookie to record the authors and titles of books you have
    ordered. When you return to the online bookstore, your browser lets the
    bookstore's site read the cookie. The site might then compile a list of
    books by the same authors, or books on related topics, and show you that
    list.
    This activity is invisible to you. Unless you have set your preferences so
    that you will be alerted when a cookie is being stored on your computer, you
    won't know about it. When you return to a web site, you won't know that a
    cookie is being read. From your point of view, in the example above, you'd
    simply visit the online bookstore, and a list of books that might be of
    interest to you would magically appear.
    Cookies are usually harmless. They can't be used to gather information about
    you (unless you provide it). But some services do use cookies to create a
    profile of your interests based on the sites you visit and the things you do
    there. Advertisers on participating sites can then tailor online advertising
    to your interests and buying habits.
    Out of privacy concerns some people choose to disable cookies all together
    or prefer to have closer control over what sites are allowed to store
    cookies.
    Only recently microsoft add some advanced cookie filtering to internet
    explorer 6

    Through use of the userData bahaviour these privacy settings can be
    circumvented.
    The following was taken from microsofts site

    <snip>
    The userData behavior persists information across sessions by writing to a
    UserData store.
    This provides a data structure that is more dynamic and has a greater
    capacity than cookies.
    </snip>

    This behaviour completely ignores the privacy settings and allows website
    owners and advertisers to start tracking your every move once again.

    Systems affected

    Internet explorer 5
    Internet explorer 5.5
    Internet explorer 6

    Demonstration

    First disable cookies by (on ie6 at least this is the way to do it) going to
    tools > privacy then set it
    to block all.

    goto http://www.xs4all.nl/~jkuperus/cookies.htm for an example , enter a
    value press save

    close the browser reopen the page and press load, the value is preserved

    Vendor status:

    I will send microsoft a cc of this email

    Workaround:

    disable active scripting

    references

    http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors
    /reference/behaviors/userData.asp?frame=true

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q283185&