Cookies, the files that websites create in browsers to remember logged-in users and track other information about them, could be abused by attackers to extract sensitive information from encrypted HTTPS connections.
The issue stems from the fact that the HTTP State Management standard which defines how cookies should be created and handled, does not specify any mechanism for isolating them or checking their integrity. As such, Web browsers don't always authenticate the domains that set cookies. ookies are also not isolated by port number or scheme. A server can host multiple websites accessible via the same domain, but on different port numbers.Read more
Wireless carriers worldwide are still tracking users via "supercookies" or "perma-cookies," yet Americans are tracked by U.S. wireless carriers more than any other carrier in any other country.
Injecting tracking headers out of the control of users, without their informed consent, may abuse the privileged position that telcos occupy. Those tracking headers leak private information about users and make them vulnerable to criminal attacks or even government surveillance. It came to light in 2014 that Verizon Wireless and AT&T were injecting special tracking headers, aka "supercookies," to secretly monitor users' web browsing habits.Read more
An online advertising clearinghouse relied on by Google, Yahoo and Facebook is using controversial cookies that come back from the dead to track the web surfing of Verizon customers.
The company is taking advantage of a hidden un-deletable number that Verizon uses to monitor customers’ habits on their smartphones and tablets. It uses the Verizon number to re-spawn tracking cookies that users have deleted.The company’s zombie cookie comes amid a controversy about a new form of tracking the telecom industry has deployed to shadow mobile phone users.Read more
AT&T says it has stopped using a controversial mobile technology that could be misused by advertising networks to track online users regardless of their wishes. Until last week, the company had been inserting a unique identifier in web traffic sent by phones and other devices on its wireless network.
It was doing this as part of a test program, which has now been stopped. Privacy advocates hate these unique identifiers, because there’s no way to turn them off. That means that they can be used by advertising networks to circumvent privacy tools such as do-not-track lists or private browsing settings.Read more