What Are Supercookies, Zombie Cookies, and Evercookies, and Are They a Threat?

Having a nosy neighbor find your secret recipe used to be the biggest privacy issue surrounding cookies, but that’s changed thanks to the Internet. While normal browser cookies are often helpful and easy to clear, there are other variants that are built to stick around and keep tabs on you. Two of these types, supercookies and zombie cookies (often known as “Evercookies”), can be particularly difficult to get rid of. Luckily, they haven’t gone unnoticed, and browsers are evolving to combat these sneakier tracking techniques.

Supercookies

This term can get a little confusing since it’s been used to describe several different technologies, only some of which are actually cookies. In general, though, it refers to anything that changes your browsing profile in order to give you a unique ID. In this way they serve the same function as cookies, allowing sites and advertisers to track you, but unlike cookies, they can’t really be deleted.

You’ll most often hear the term “supercookie” used in reference to Unique Identifier Headers (UIDH) and as a vulnerability in HTTP Strict Transport Security, or HSTS, though the original term refers to cookies that originate from top-level domains. This means that a cookie could be set for a domain like “.com” or “.co.uk,” allowing any website with that domain suffix to see it.

If Google.com sets a supercookie, that cookie would be visble to any other “.com” website. This is a clear privacy issue, but since it’s otherwise a conventional cookie, pretty much all modern browsers block them by default. Since no one talks much about this kind of supercookie anymore, you’ll generally hear more about the other two.

Unique Identifier Header (UIDH)

A Unique Identifier Header isn’t on your computer at all – it takes place between your ISP and a website’s servers. Here’s how:

1. You send a request for a website to your ISP.
2. Before your ISP forwards the request to the server, it adds a unique identifier string to the header of your request.
3. This string allows sites to identify you as the same user whenever you visit, even if you’ve deleted their cookies. Once they know who you are, they can just put the same cookies straight back into your browser.

In simple terms, if an ISP is using UIDH tracking, it’s sending your personal signature to every website you visit (or the ones who have paid the ISP for it).  It’s mostly useful for optimizing ad revenue, but it’s invasive enough that the FCC fined Verizon 1.35 million USD for not informing their customers of it or giving them an option to opt out.

Aside from Verizon, there’s not much data on which companies are using UIDH information, but consumer backlash has made it a fairly unpopular strategy. Even better, it only works over unencrypted HTTP connections, and since most websites now use HTTPS by default and you can easily download extensions like HTTPS Everywhere, this supercookie isn’t actually much of a problem anymore and probably isn’t being widely used. If you want extra protection, use a VPN. This guarantees that your request will be relayed to the website without your UIDH attached.

HTTPS Strict Transfer Security (HSTS)

This is a rare type of supercookie that hasn’t been specifically identified on any particular site, but apparently it was being exploited, since Apple patched Safari against it, citing confirmed instances of the attack.

HSTS is actually a good thing. It lets your browser safely redirect to the HTTPS version of a site rather than the insecure HTTP version. Unfortunately, it can also be used to create a supercookie with the following recipe:

1. Create a lot of subdomains (like “domain.com,” “subdomain2.domain.com,” etc.).
2. Assign each visitor to your main page a random number.
3. Force users to load all your subdomains by either adding them in invisible pixels on a page or redirecting the user through each subdomain while loading the page.
4. For some subdomain, tell the user’s browser to use HSTS to switch to the secure version. For others, leave the domain as unsecured HTTP.
5. If a subdomain’s HSTS policy is turned on, it counts as a “1.” If it’s off, it counts as a “0.” Using this strategy, the site can write the user’s random ID number in binary in the browser’s HSTS settings.
6. Every time the visitor returns, the site will check the HSTS policies of a user’s browser, which will return the same binary number that was originally generated, identifying the user.

It sounds complex, but what it boils down to is that websites can get your browser to generate and remember security settings for multiple pages, and the next time you visit, it can tell who you are because no one else has that exact combination of settings.

Apple has already come up with solutions to this problem, like only allowing HSTS settings to be set for one or two main domain names per site and limiting the number of chained redirects that sites are allowed to use. Other browsers are likely to follow these security measures (Firefox incognito mode seems to help), but since there aren’t any confirmed cases of this happening, it’s not a top priority for most. You can take matters into your own hands by digging into some settings and manually clearing HSTS policies, but that’s about it.

Zombie cookies/Evercookies

Zombie cookies are exactly what they sound like – cookies that come back to life after you thought they were gone. You may have seen them referred to as “Evercookies,” which are unfortunately not the cookie equivalent of a Wonka everlasting gobstopper. “Evercookie” is actually a JavaScript API created to illustrate how many different ways cookies could get around your deletion efforts.

Zombie cookies don’t get cleared because they’re hiding outside of your regular cookie storage. Local storage is a prime target (Adobe Flash and Microsoft Silverlight use this a lot), and some HTML5 storage can also be an issue. The living dead cookies can even be in your web history or in RGB color codes that your browser allows into its cache. All a website has to do is find one of the hidden cookies and it can resurrect the others.

Many of these security holes are disappearing, though. Flash and Silverlight aren’t a big part of modern web design, and many browsers aren’t especially vulnerable to other Evercookie hiding places anymore. Since there are so many different ways that these cookies can weasel their way into your system, though, there is no single way to protect yourself. A decent suite of privacy extensions and good browser-clearing habits are never a bad idea, however!

Wait, are we safe or not?

Online tracking technology is a constant race to the top, so if privacy is something that concerns you, you should probably just get used to the idea that we’re never guaranteed 100% anonymity online.

You probably don’t need to worry too much about supercookies, though, since they’re not seen in the wild very often and are increasingly being blocked. On the other hand, zombie cookies/Evercookies are harder to get rid of. Many of their more well-known avenues have been shut down, but they can still potentially work until every single vulnerability is patched, and they can always come up with new techniques.