Watch out for hidden cookiesDecember 31, 2008 – 11:04 AM
By now, most of us are aware of the potential privacy risks posed by Web cookies. But according to a new paper published by security consultancy iSec Partners, traditional browser-based cookies aren’t the only technology used to store user data anymore. A number of browser plug-ins offer similar capabilities — and because plug-ins are nonstandard browser components, users are often unaware that these silent conversations are even taking place.
Browser cookies are invaluable for storing things like usernames and shopping cart contents between e-commerce sessions, among many other legitimate uses. But cookies can also give Web sites the ability to track your surfing habits for the purpose of data mining or other, more malicious goals. That’s why modern browsers give users fine-grained control over their cookies — we can view them, delete them, or even block them completely. These controls don’t apply to plug-ins, however, which add nonstandard features outside the customary browser UI.
The paper cites Google’s Gears as one example of a plug-in that can mimic cookies. While in general it gives Gears high marks for walling off users’ data from unwanted accesses, it also cautions that users might not fully understand how to specify what data Gears is allowed to store. Gears always asks you if you permit it to talk to a given Web site, but it will only ask once. If you later decide that you’d like to disable Gears for that site, you have to remove the site from a list via a special control panel. Your browser’s normal privacy settings have no effect on Gears’ behavior.