TUCoPS :: Browsers :: expl5003.htm

Internet Explorer with Media player installed allows uncontrolled "SuperCookies" on computer
16th Jan 2002 [SBWID-5003]
COMMAND

	IE with Media player installed allows uncontrolled  \"SuperCookies\"  on
	computer

SYSTEMS AFFECTED

	All versions

PROBLEM

	In Richard M. Smith advisory [http://www.computerbytesman.com] :
	

	There is a significant privacy problem with  Internet  Explorer  because
	of a design flaw  in  the  Windows  Media  Player  (WMP).  Using  simple
	Javascript code on a Web page, a Web site can grab the unique ID  number
	of the Windows Media Player belonging to a Web  site  visitor.  This  ID
	number can then be used just like a cookie  by  Web  sites  to  track  a
	user\'s travels around the Web.
	

	However this ID number becomes a SuperCookie because it can be  used  by
	Web sites to bypass all of the new  privacy  and  P3P  protections  that
	Microsoft has added to Internet Explorer 6 (IE6). IE6 ships  today  with
	all Windows XP systems. SuperCookies also work in all previous  versions
	of Internet Explorer with all older versions of Windows.
	

	Some of the other features of SuperCookies include:
	

	   - There appears to be no method of blocking 

	     SuperCookies from a Web site except to uninstall

	     Windows Media Player or to turn off JavaScript.

	

	   - All Web sites get the same ID number so they

	     can easily exchange information about a user

	     much like third-party cookies are used today

	     by ad networks and Internet marketing companies.

	

	   - Even if someone is using a cookie blocker add-in,

	     SuperCookies will still work.

	     

	   - If a user has deleted cookies from his or her computer

	     to stop tracking, a Web site can restore an

	     old cookie value from this ID number.  Once the

	     cookie value has been restored, new tracking data

	     can be combined with tracking data that was 

	     previously collected by the Web site.

	

	

	Demo Page

	---------

	

	I\'ve set up a simple demo page that shows the issue:
	

	   http://www.computerbytesman.com/privacy/supercookiedemo.htm

	

	This demo stills works even if the WMP option \"Allow Internet sites  to
	uniquely identify your player\" is  turned  off.  This  option  controls
	when the WMP ID number is  given  out  to  Web  sites  when  downloading
	streaming audio or video files, but does not appear to  stop  JavaScript
	programs from getting this number.
	

	

	Technical Details

	-----------------

	

	When the Windows Media Player is installed on a computer,  a  unique  ID
	number in the form of a GUID is assigned to the player. This  ID  number
	is stored in the Windows registry. The ActiveX interface to the  Windows
	Media Player allows any JavaScript Program to  retrieve  the  ID  number
	using the property \"ClientID\".
	

	The following example HTML and JavaScript code illustrates how  easy  it
	is to retrieve the ID number:
	 

	<OBJECT classid=\"clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95\" 

	ID=WMP WIDTH=1 HEIGHT=1></OBJECT>

	

	<script>

	alert(document.WMP.ClientID);

	</script> 

	

	Once the ID number is available to a JavaScript program, it can be  sent
	back to a Web site either by appending it to the URL of  a  Web  bug  or
	storing it in regular Web browser cookie.

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH