Letting the Cookie Crumble: How Misuse of Browser Cookies Can Affect Data Privacy
Introduction
You may know browser cookies in terms of those annoying pop-up features on websites, prompting users to accept cookies. Most people will click “accept” just to get rid of the prompt and continue with their browsing session. No harm, no foul, right? Well, the truth is that while cookies have become essential to Internet browsing, they can be misused to exploit user privacy. Cybercriminals have used cookies to spy on user activity and inject viruses into websites.
What Exactly Are Browser Cookies?
Unfortunately, Internet cookies have nothing to do with baked goods. Browser cookies (also known as HTTP cookies, Internet cookies, or web cookies) are small bits of data used by the network to identify a particular device. Specifically, cookies stored on a web browser can be used to identify specific users and enhance their browsing activities.
The process of creating and storing cookies can be summarized in the following 3 steps:
When users visit a particular website, their device will store user data as a cookie and assign the information a unique ID known as a “name value” pair.
After users accept cookies on that site, the web server sends the cookie to the browser, which stores the identifying “name value” pair.
Finally, when users return to that specific website, the browser will send the data back to the web server in order to retrieve the data from previous web sessions.
This process is what allows browser cookies to personalize and store information. Websites primarily use cookies for targeted advertising. However, this stored data can also be immensely helpful to users, allowing sites to save login information so users do not have to enter their passwords each time.
Net Neutrality
In July 2021, US President Joe Biden signed an executive order which implemented new antitrust regulations. Included among the order’s 72 actions and recommendations was an effort to restore net neutrality rules in the national tech sector. Net neutrality is based on the principle that all Internet service providers (ISPs) should treat all data equally. The underlying purpose of net neutrality is to deter ISPs from favoring or prioritizing certain network data that is delivered to customers.
Cookies can serve as a legitimate way for ISPs to circumvent net neutrality restrictions and tailor web content for users. In other words, cookies allow ISPs to obtain consent from users to customize and personalize web content without necessarily violating net neutrality regulations. This trust relationship between users, applications, and ISPs is initiated through the acceptance or denial of cookies. Ideally, this mutual trust through the use of cookies would be initiated entirely by the user. However, the unfortunate reality is that criminals have begun to use browser cookies as a means of exploiting user vulnerabilities.
Criminal Misuse & Privacy Violations
Because cookies store user data and browsing history, there is potential for cybercriminals to compromise this information. Attackers can steal a user’s cookies and authenticate to a web session. Websites that utilize unencrypted HTTP for web communication are particularly vulnerable to these types of attacks. Here are some examples of the ways cookies can be used to exploit user privacy:
Man-in-the-middle attack (MITM): MITM attacks are a form of eavesdropping in which attackers can read unencrypted cookie data and other information transmitted over the Internet. This intercepted information can then be used for fraudulent actions, such as identity theft.
DNS cache poisoning: This involves deceiving a domain name service (DNS) server into storing a false DNS entry. DNS servers stores public IP addresses (e.g., 8.8.8.8) and their corresponding hostnames (e.g., www.google.com) in order to direct web browsers in finding specific websites. Infecting the DNS cache information could allow attackers to redirect users to a malicious site, allowing for the theft of cookie data from the target’s web browser.
Cross-site request forgery (XSRF): This is a type of exploit in which an attacker can use user authentication data stored in cookies to request or make changes to a website. For example, the malicious actor could use credentials stored in cookies to sign onto a user’s banking profile and authorize fund transfers.
Third-party cookies: Many browser cookies are first-party, meaning that they were created by the specific website being accessed and are therefore, relatively safe. On the other hand, third-party cookies are created by third-party websites, which are distinct from the web page being visited. This can constitute a significant privacy concern when these third-party cookies allow advertisers to track a user’s browsing history on any websites showing their ads.
How to Protect Your Own Privacy
So how can users protect their data without sacrificing browser session efficiency? While removing cookies in browser settings is always an option, this could complicate the accessibility of certain websites. For instance, without cookies, you would have to manually enter your Netflix password every time and Amazon would not be able to store items in your shopping cart across multiple browsing sessions.
In order to achieve a browsing experience that is safe yet a little more convenient, consider adhering to the following practices:
Always employ encryption while browsing the Internet. As noted previously, most attacks which exploit cookie data occur over unencrypted HTTP sessions. An effective mitigation measure for these attacks will be to utilize SSL/TLS encryption (HTTPS), which will always be indicated via an “https” at the beginning of a URL or a lock symbol in the upper corner of the browser. As an alternative option, using a VPN or Google Chrome’s Incognito mode will not store cookie data directly on a user’s local device.
Clean up your cookies frequently. For the users who choose to employ cookies on their browsers, it is recommended to clear cookies on a regular basis. Cookie data can gradually build up in a system and cause formatting or bug issues on websites. Clearing cookies in your web browser can address these issues and ensure that only a manageable amount of data is stored at any given time.
Exercise caution when accepting cookies on a site. Thanks to those aforementioned annoying pop-ups that prompt users to accept or reject cookies, it is possible to allow certain sites to access your data while denying other sites the same access.
Never store cookie data while accessing a public device. When browsing the Internet on any device other than your personal one, it is unsafe to save data (such as usernames and passwords) on browsers. Before ending a session on a public device, ensure that all browser cookies have been cleared and that any accounts you signed into are no longer saved.
Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-0522. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.'©2022 The MITRE Corporation. ALL RIGHTS RESERVED.