Microsoft pulls "supercookies"
By Chris Taylor
22/08/2011
Microsoft is to disable so-called "supercookies" that track a user's browsing history even after they have purged their online history.
The appearance of the tracking code was discovered on the company's MSN (Microsoft Network) websites by a Standford University researcher.
Allegedly the code was able to "respawn" browsing cookies using Javascript explained Jonathan Mayer: "We dug into Microsoft's cross-domain cookie syncing code and discovered two independent supercookie mechanisms, one of which was respawning cookies.
"One of the foundational concepts in web security is the cookie same-origin policy: cookies can only be read and modified by the domain that set them," he said in a blog post cited by PC Pro.
The discovery, which carries huge implications with regards to privacy, is not the first of its kind. The Register reports that hundreds of other sites have been involved in the malpractice including Hulu.com, Spotify and GigaOm.
IT management systems may be able to circumvent some of this risk. For large firms, the regular purging of online tracking data, or cookies, will prevent a barrage of targeted advertising towards employees or the unwarranted profiling of the company by other websites.
In a blog post, Microsoft's associate general counsel Mike Hintze confirmed that the practice has been curtailed since Mayer's discovery.
"We determined that the cookie behaviour he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," he wrote.
"We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft."
