Search this Blog

These Cookies are Anything but Sweet

Courtesy of  Pigsels
By Carl Weiss

It used to be that cookies were a sweet treat.  But not anymore.  That’s because everyone from search engines and media conglomerates, to advertisers and cybercriminals have learned how to use these tasty online morsels to sweeten their deal – regardless of what it means to you.  If you are tired of getting the “Betty Crocker Treatment” every time you surf the web, feast your eyes on today’s blog where we will show you how to start counting calories online.

Who Invented this Half-Baked Idea?

According to Wikipedia:
Netscape Navigator 6.1
Netscape Navigator 6.1 (Photo credit: Wikipedia)
“The term "cookie" was derived from the term "magic cookie", which is a packet of data a program receives and sends
 back unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in web communications in June 1994.[7] At the time, he was an employee of Netscape Communications.  Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape, released on October 13, 1994,[10][11] supported cookies. The first use of cookies (out of the labs) was checking whether visitors to Netscape had already visited the site. Montulli applied for a patent for the cookie technology in 1995, and US 5774670 was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.[12]

At the time, cookies were virtually unheard of by the public at large.  It wasn’t until February of 1996 that the first article was ever published about cookies in the Financial Times.  Someone in the Federal Trade Commission was paying attention as well, since the FTC scheduled hearings in 1997 to discuss the obvious privacy concerns posed by these nefarious little programs.

Wikipedia goes on to note that:
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by Brian Behlendorf and David Kristol respectively, but the group, headed by Kristol himself and Aron Afatsuom, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.

These Cookies Aren’t Baked by Elves
Between that date and the year 2000, virtually nothing was done to reign in, much less curtail, the ever growing legions of cookies.  Worst of all, these prying I’s worked in the background, all but unobserved as they gathered information from computers at a dizzying rate.  Fast forward to the present date and like the supermarket shelves, there are currently scads of different cookie brands that currently abound. 
Courtesy of

  • HTTP only cookie – These cookies can only be used when transmitted via HTTP (or HTTPS). These cookies are supported by the vast majority of web browsers.
  • Persistent cookieThese little devils do not expire when you terminate your web browser. They will continue to report to their masters every time you go back online. Also referred to as Tracking Cookies, these are favorites of the advertising industry.
  • Secure cookieThese can only be transmitted via an encrypted connection such as HTTPS.  Many of the transactions that you make when you hit the “Buy Now” button on most eCommerce systems utilize these.
  • Session cookie Employed by web browsers the world over, these morsels exist in temporary memory for as long as you use the browser. They are normally deleted when the user closes the browser, only to spring back to life the next time you surf the web.
  • SupercookieTracking technology does not necessarily need to rely on HTTP cookies.  A supercookie is designed to be permanently stored on a user’s computer.  This means they are more difficult to detect and eliminate.  They function just like regular cookies in that they can be tasked to collect and report on everything from your browsing history, to ad-targeting data.
  • Third-party cookieNormally a cookie’s domain matches the URL shown in the web browser’s address bar.  However the so called Third Party Cookies hide their true identity by appearing to emanate from a URL that is different from the one being displayed.  Typically associated with adware, these cookies can be used to deliver ads that are concurrent with the user’s browsing preferences.
  • Zombie cookieJust like the zombies made famous in “The Night of the Living Dead,” Zombie Cookies are tough to kill since they spring back to life even after you delete them.  Their ability to rise from the dead is aided and abetted by a client-side script that has stored the cookie in multiple locations on your machine.  When it detects that the cookie is no longer present (which will happen when you delete it), the script retrieves the cookie and brings it back to life. 
Courtesy of

Not only can cookies be difficult to eliminate, they also have long memories.  If you have ever used a popular web browser to shop for products online you will notice that for days or even weeks afterward that ads concerning similar products will appear as if by magic.  While such activities can prove annoying to the public at large, they can also have more serious implications.

Wikipedia states that:

While cookies are sent only to the server setting them or a server in the same Internet domain, a web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies. The older standards for cookies, RFC 2109 and RFC 2965, specify that browsers should protect user privacy and not allow sharing of cookies between servers by default; however, the newer standard, RFC 6265, explicitly allows user agents to implement whichever third-party cookie policy they wish. Most browsers, such as Mozilla Firefox, Internet Explorer, Opera and Google Chrome do allow third-party cookies by default, as long as the third-party website has Compact Privacy Policy published. Newer versions of Safari block third-party cookies, and this is planned for Mozilla Firefox as well (initially planned for version 22 but was postponed indefinitely).

That’s right, information gleaned via cookies can be bought, sold and traded like baseball cards once were.  Not only that, but advertising companies routinely use third-party cookies to track users across multiple websites where it has placed ads or web bugs. A web bug is an object that invisibly allows a third party to check to see whether a user has accessed content. Sound like nothing a little Raid couldn’t cure.
While the governments of the world haven’t exactly declared open season on cookies that eavesdrop on everything we do online, that doesn’t mean that they have closed their eyes to the possibilities for abuse of these online spies.
Courtesy of

Speaking of spies, Wikipedia also reported that, “The United States government has set strict rules on setting cookies in 2000 after it was disclosed that the White House drug policy office used cookies to track computer users viewing its online anti-drug advertising. In 2002, privacy activist Daniel Brandt found that the CIA had been leaving persistent cookies on computers which had visited its website. When notified it was violating policy, CIA stated that these cookies were not intentionally set and stopped setting them.[44] On December 25, 2005, Brandt discovered that the National Security Agency (NSA) had been leaving two persistent cookies on visitors' computers due to a software upgrade. After being informed, the NSA immediately disabled the cookies.

It further reported: In 2002 the European Union launched the Directive on Privacy and Electronic Communications, a policy requiring end users’ consent for the placement of cookies, and similar technologies for storing and accessing information on users’ equipment.[46][47] In particular, Article 5 Paragraph 3 mandates that storing data in a user’s computer can only be done if the user is provided information about how this data is used, and the user is given the possibility of denying this storing operation.”

Of course, none of this stops cybercriminals from both using and hijacking information being compiled and transmitted by third-party cookies.  Network eavesdropping is all too easy to accomplish when the information being transmitted isn’t encrypted. 

Courtesy of
In cryptography and computer security, the man-in-the-middle attack requires an attacker to have the ability to both monitor and alter or inject messages into a communication channel. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle.

Who Stole My Cookies?

Just like taking candy from a baby, it is all too easy to steal cookies using cross-site scripting.  Cookiejacking occurs when a hacker posts malicious code that once clicked, causes the victim’s web browser to send the victim’s cookies to a website of the hacker’s choosing.  Hackers can also employ known security holes in browsers and operating systems to steal cookies.

While most people are still asleep at the switch to the threat imposed by unauthorized parties that collect, use and sell information harvested by cookies, there is one threat that should wake them up: Identity Theft.  In a blog posted by, Max Anderson noticed that a cookie called spylog had been introduced to his system. 
We all know that Internet cookies can be annoying and an intrusion on our privacy, but I really didn’t think they could contribute to identity theft until recently. While most Internet cookies do not pose a significant identity theft risk, when a website installs a Spylog cookie on your computer, the webmaster of that website can track every move you make on the Web and sometimes can even track your every keystroke. When you think about how much information you type into your computer, that becomes a serious threat.

Max then went on to show the reader how easy it is for a hacker to entice the average web surfer to accept an unauthorized cookie that could very well be designed for and by cyber criminals.  Have you ever seen links that offer to:

Pay off your mortgage in 10-years or less!
This housewife found a secret to losing fifty pounds without going on a diet.
Losing your hair? Learn the secrets that can help you hold onto what you have.

In short, these offers will not only fail to live up to their promise, but there is a high probability that they will leave you with something you don’t want or need: A cookie.  While Max extolls readers to access the Internet Options tab in their browser and regularly delete unwanted cookies, there is more that can and needs to be done if you don’t want to sweeten the deal for someone who doesn’t have your best interest at heart.

Depending upon the browser you use, it is possible to defeat a number of cookies before they gain any real traction.  WikiHow has a how-to article that shows you how to lock the door on many cookies by tweaking the browser settings on a number of popular browsers, including Google Chrome, Firefox, IE, your iPad and Galaxy Tab.

Better still, there are a number of web browsers and search engines that go out of their way to shield users from cookies, including Comodo Dragon and, (I am using them both to research this very article.)  You can also kill adware in its crib by installing ad blocking software such as AdBlockPlus.  Just make sure that when you click on the ad to install any of these or other software that it leads to the company’s official website.  Today, many cyber criminals set up false flag sites that look and act like the real deal until you click on them.  Then they load tons of malware on your system.

The bottom line is that as the world wide web becomes ever more crowded with people and organizations that do not have your back, take a bit of advice from your grandma who told you to never accept candy (or cookies) from strangers.

In this article I have described how companies, hackers and identity thieves are using various forms of browser cookies to track your browsing habits. This article covers the meaning and use of most cookies, but most importantly, I discuss the use of the new third party cookies, supercookies and zombie cookies.

If you like this article, you can find more by typing “internet privacy” in the search box at the top left of this blog. I further recommend reading “ The Piracy of Privacy - The Looting of Privacy in America,"  and "Is Google Watching You?"

If you found this article useful, share it with your friends, families and co-works. If you have a comment related to this article, leave it in the comment sections below.  If you would like a free copy of our book, "Internet Marketing Tips for the 21st Century", fill out the form below.  

Thanks for sharing your time with me.

When he isn’t cooking up tasty stories online, Carl Weiss is CEO of Working the Web to Win, a digital marketing agency based in Jacksonville, Florida.  He is also the co-host of the online radio show of the same name on Blog Talk Radio.

Related articles

1 comment:

  1. Looks like you fell for a hoax in the wikipedia cookies entry. There is no Aron Afatsuom.