OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Richard M. Smith (rmsCOMPUTERBYTESMAN.COM)
Date: Tue Jan 15 2002 - 09:03:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Introduction
    ------------

    There is a significant privacy problem with Internet Explorer
    because of a design flaw in the Windows Media Player (WMP). Using
    simple Javascript code on a Web page, a Web site can grab the
    unique ID number of the Windows Media Player belonging
    to a Web site visitor. This ID number can then be used just
    like a cookie by Web sites to track a user's travels around
    the Web.

    However this ID number becomes a SuperCookie because it can be used
    by Web sites to bypass all of the new privacy and P3P protections
    that Microsoft has added to Internet Explorer 6 (IE6). IE6 ships
    today with all Windows XP systems. SuperCookies also work in all
    previous versions of Internet Explorer with all older versions of
    Windows.

    Some of the other features of SuperCookies include:

       - There appears to be no method of blocking
         SuperCookies from a Web site except to uninstall
         Windows Media Player or to turn off JavaScript.

       - All Web sites get the same ID number so they
         can easily exchange information about a user
         much like third-party cookies are used today
         by ad networks and Internet marketing companies.

       - Even if someone is using a cookie blocker add-in,
         SuperCookies will still work.

       - If a user has deleted cookies from his or her computer
         to stop tracking, a Web site can restore an
         old cookie value from this ID number. Once the
         cookie value has been restored, new tracking data
         can be combined with tracking data that was
         previously collected by the Web site.

    Demo Page
    ---------

    I've set up a simple demo page that shows the
    issue:

       http://www.computerbytesman.com/privacy/supercookiedemo.htm

    This demo stills works even if the WMP option "Allow
    Internet sites to uniquely identify your player" is
    turned off. This option controls when the WMP ID number
    is given out to Web sites when downloading streaming audio
    or video files, but does not appear to stop JavaScript
    programs from getting this number.

    Technical Details
    -----------------

    When the Windows Media Player is installed on a computer, a
    unique ID number in the form of a GUID is assigned to the player.
    This ID number is stored in the Windows registry. The ActiveX
    interface to the Windows Media Player allows any JavaScript
    Program to retrieve the ID number using the property "ClientID".

    The following example HTML and JavaScript code illustrates how
    easy it is to retrieve the ID number:

    <OBJECT classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
    ID=WMP WIDTH=1 HEIGHT=1></OBJECT>

    <script>
    alert(document.WMP.ClientID);
    </script>

    Once the ID number is available to a JavaScript program, it can
    be sent back to a Web site either by appending it to the URL
    of a Web bug or storing it in regular Web browser cookie.

    Recommendations for Microsoft
    -----------------------------

    I originally notified Microsoft of this problem in
    March 2001.

    One solution to this problem is for Microsoft to remove
    the ClientID property from the WMP ActiveX control. For
    compatibility with existing JavaScript code, Microsoft may have
    to keep the property around, but always have it return a
    GUID of all zeros for all users.

    An even better idea might be to remove the WMP player
    ID number altogether and have WMP instead use the standard
    cookie mechanism of Internet Explorer.

    Richard M. Smith
    http://www.computerbytesman.com

    ============================================================================
    Delivery co-sponsored by VeriSign - The Internet Trust Company
    ============================================================================
    FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
    When building an e-commerce site, you want to start with a strong, secure
    foundation. Learn how with VeriSign's FREE White Paper, "Building an
    E-Commerce Trust Infrastructure." See how you can authenticate your site to
    customers, use 128-Bit SSL encryption to secure your web servers, and accept
    secure payments online. Click here:
    http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
    ============================================================================