Tracking Users Via the Browser's Cache

← Back to Stories (view on slashdot.org)

Tracking Users Via the Browser's Cache

Posted by ryuzaki0 on Sunday September 17, 2006 @11:55AM from the not-just-cookies dept.

Mukund writes to point us to an article he has written about a method of tracking using the browser cache instead of cookies. A demonstration shows that tracking can remain continuous if you clear only cookies or only the cache, but not both. (Firefox's Clear Private Data tool can be set to clear both when closing the browser.)

4 of 124 comments (clear)

Min score:

Reason:

Sort:

Pretty clever.. by CTho9305 · 2006-09-17 11:59 · Score: 5, Informative

For those of you who aren't going to RTFA, basically you send a JS file with a unique ID and tell the browser to cache it... then any page that includes that JS script gets your unique ID... even if you disallow all cookies.

--
My server
1. Re:Pretty clever.. by MarkRose · 2006-09-17 12:34 · Score: 5, Funny
  
  Well if anyone tosses their cookies in my java, I, for one, am sure not going to drink it!
  
  --
  Be relentless!
Old news by christo · 2006-09-17 12:25 · Score: 5, Informative

Move on folks, there's nothing to see here.

This was done last year, by these guys: Browser Recon @ Indiana University

Defenses against this, and other attacks have been created and deployed through two firefox extensions
put out by Stanford University: Safe History and Safe Cache

This stuff ain't new.
Re:Um, no by _xeno_ · 2006-09-17 15:12 · Score: 5, Informative

Doesn't have to. Just have them cache the image using a unique timestamp for Last-Modified (so that you should get a unique If-Modified-Since header) or using a unique ETag. Both should theoretically work to uniquely identify the user, and both can easily be embedded using an image. Combined with Cache-Control: private, this should even work through firewalls.

--
You are in a maze of twisty little relative jumps, all alike.