Bypassing cookie restrictions in IE 5+6
Results 1 to 2 of 2

Thread: Bypassing cookie restrictions in IE 5+6

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    742

    Bypassing cookie restrictions in IE 5+6

    Source: "bugtraq@securityfocus.com"

    Bypassing cookie restrictions in IE 5+6

    Description

    A cookie is a small bit of information that a web site stores on your
    computer. When you revisit the web site, your browser sends the information
    back to the site. Usually a cookie is designed to remember and tell a web
    site some useful information about you. For example, an online bookstore
    might use a cookie to record the authors and titles of books you have
    ordered. When you return to the online bookstore, your browser lets the
    bookstore's site read the cookie. The site might then compile a list of
    books by the same authors, or books on related topics, and show you that
    list.
    This activity is invisible to you. Unless you have set your preferences so
    that you will be alerted when a cookie is being stored on your computer, you
    won't know about it. When you return to a web site, you won't know that a
    cookie is being read. From your point of view, in the example above, you'd
    simply visit the online bookstore, and a list of books that might be of
    interest to you would magically appear.
    Cookies are usually harmless. They can't be used to gather information about
    you (unless you provide it). But some services do use cookies to create a
    profile of your interests based on the sites you visit and the things you do
    there. Advertisers on participating sites can then tailor online advertising
    to your interests and buying habits.
    Out of privacy concerns some people choose to disable cookies all together
    or prefer to have closer control over what sites are allowed to store
    cookies.
    Only recently microsoft add some advanced cookie filtering to internet
    explorer 6

    Through use of the userData bahaviour these privacy settings can be
    circumvented.
    The following was taken from microsofts site


    The userData behavior persists information across sessions by writing to a
    UserData store.
    This provides a data structure that is more dynamic and has a greater
    capacity than cookies.


    This behaviour completely ignores the privacy settings and allows website
    owners and advertisers to start tracking your every move once again.

    Systems affected

    Internet explorer 5
    Internet explorer 5.5
    Internet explorer 6

    Demonstration

    First disable cookies by (on ie6 at least this is the way to do it) going to
    tools > privacy then set it
    to block all.

    goto http://www.xs4all.nl/~jkuperus/cookies.htm for an example , enter a
    value press save

    close the browser reopen the page and press load, the value is preserved


    Vendor status:

    I will send microsoft a cc of this email

    Workaround:

    disable active scripting


    references:

    http://msdn.microsoft.com/library/de...asp?frame=true

    http://support.microsoft.com/default...EN-US;Q283185&

  2. #2
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    funky... i wonder what microsoft has to say about this...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides