Advertisers Evade Do Not Track With Supercookies

Many popular sites use JavaScript and Flash font probes to track users and their browsing habits across multiple devices, researchers say.

How many websites today are using latest-generation supercookies to secretly track a persons browsing habits across different websites, and even when they use different devices?
According to a new report,
FPDetective: Dusting the Web for Fingerprinters
, from privacy researchers in Belgium and the United States, at least 404 of the worlds 1 million most popular websites are using a never-before-seen tracking technology that fingers devices while evading detection. The researchers are due to present their paper at next months 20th
ACM Conference on Computer and Communications Security
in Berlin.
Fingerprinting refers to creating a unique signature for a browser -- whether on a PC or mobile device -- that allows a tracking firm to watch which sites a user visits, no matter which device theyre using. Fingerprinting user devices through the browser is an increasingly common practice used of advertising and anti-fraud companies, according to the researchers.
But its a practice that may exist in a legal gray area. Stateless user tracking allows advertising companies to sidestep the limitations imposed by regulation on cookies in Europe and the United States, according to the researchers. Moreover, with the advent of smartphones and tablets, fingerprinting allows advertisers to augment previously gathered user data and track the user across devices.
[ Privacy groups are suing the NSA over its call-tracking programs. Read
NSA Lawsuit Proceeding, Despite Government Shutdown
. ]
The researchers said their discovery of 16 new fingerprinting scripts and Flash objects, as well as counts of the sites using the technology, demonstrates that fingerprinting is much more prevalent than previous studies estimated. Furthermore, while the total number of sites -- just 404 -- on which they found the JavaScript tracking technology might seem small, they cautioned that their Web crawling targeted only homepages, and couldnt penetrate paywalls or any site with a
Turing test
.
The JavaScript-based fingerprinting technology is being sold or distributed by tracking firm BlueCava,
Bitcoin
digital wallet provider CoinBase, geolocation and online fraud prevention firm MaxMind, and consumer tracking provider Mindshare Technology, among other companies. Some of those fingerprint scripts appeared to actively try to evade detection by deleting themselves as soon as theyd run and relayed a fingerprint to a third-party server.
BlueCavas font-probing JavaScript code was the most prevalent such script detected by the researchers, and ran on the homepages of 250 sites that are included in the Alexa index of the 1 million most popular websites. [BlueCavas] is the only one of the discovered font-probing scripts that queries different sets of fonts based on the devices operating system: 231 fonts for Microsoft Windows, 167 for Mac OS and 62 for other operating systems, said the researchers.
The researchers also looked for Flash-based fingerprinting technology, although only on the worlds 10,000 most popular websites as ranked by Alexa, and detected the technology in use on 95 of those sites.
Cookie-free tracking technologies -- often referred to as
supercookies
-- are typically designed to avoid detection as well as users attempts to block the technology. Likewise, the technology historically hasnt ever been deterred by the presence of an active
do not track flag
in a users browser. Many privacy advocates have long held that the only way to stop the cookies will be through legislation that requires websites to disclose the tracking technology theyre using, as well as to respect peoples DNT preferences.
Might an anonymizing browser, such as Tor, help block the latest generation of supercookies? While that would theoretically help a user defeat the tracking mechanisms, in fact Tor doesnt restrict the browsers ability to call system fonts, meaning Tor users devices can still be fingerprinted using the font-probing techniques. But the researchers said theyve alerted Tor to the vulnerability, and that its been fixed in the forthcoming source code and version 2.4 of the
Tor browser bundle
.
Going forward, the researchers said they plan to release the source code for the tool they developed to crawl the Web in search of fingerprinting technology, which they dubbed FPDetective. They built it using modified versions of the
PhantomJS
headless Webkit browser, as well as the
Chrome browser
. FPDetective includes the ability to relay Flash files through an SSL-capable intercepting proxy, which allowed the researchers to capture, decompile and analyze the font-probing Flash files using third-party tools.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Advertisers Evade Do Not Track With Supercookies