In the first part of the series, we have discussed the basics of a cookie. Recollecting the main points from the last blog post, we discussed:
We all use online shopping websites like Amazon. We search for various kind of products in the Amazon website. Before actually buying the item we also make use of Google search to do a basic research about the product brand and quality. We either buy it or simply add it to the cart to buy it later, hoping for a price drop or a better alternative to popup. Later, we close the browser and go to sleep or do the routine, all good.
The very next day when browsing Facebook you would see advertisement saying there is a price drop for a product. Look closer, it is the same product I actually wanted to buy! How in the hell does Facebook know I was searching for this product? I mean, wtf? Here comes the concept of targeted ads and third party cookies. Let’s try to understand the idea deeply. Below I have enabled an ad by Google Adsense. Feel free to click and test it. (Well, for now you can consider it as a donation for me, I would be really happy)
You can view the cookies set by Google for this particular ad. Use web developer or any other extension to view them.
While browsing through Amazon we can see that amazon is setting a lot of cookies to our browser. To manage the session Amazon needs only one Cookie right?. So, what information will be stored in the rest of them? It can be anything such as
If you inspect the cookies, you can’t see this information written in plain text. Instead all you can see is a junk of random characters. Have a look at the image shown below.
Web application developers some kind of ciphering algorithm while creating the cookies. It is done so to ensure the security of the cookie as well as to compress the data being stored in it. Fine, so Amazon now knows what kind of products you are interested in. Let’s get into the next question.
Facebook needs to access the Cookies set by amazon to read about our browsing interest right? Only then, it can show interest based ads. But, a cookie set by a website will be accessible to that particular site only. Which means the amazon.com Cookies carrying our browsing data will not be accessible to facebook.com. Without that data Facebook cannot understand our interest and cannot target ads accordingly. Also, Amazon takes data security and privacy very seriously. They will not share the collected data with Facebook. Then how will Facebook show such ads?
Here’s the catch! Actually It is not facebook showing that advertisement to you, it is Amazon itself. Yes, Facebook calls this feature a Pixel. Here, Facebook allocates Amazon a certain amount of space in its web application. Let’s think it as an iframe. Now Amazon has got space inside facebook and from there Amazon can access it’s cookies stored in our browser. Perfect! Now amazon can display the ads in Facebook and that is what we are seeing.
In the above example we were browsing Facebook right? Amazon just appeared there to show an advertisement. So if we inspect the cookies of the browser tab where Facebook is opened, we can see cookies other than that of Facebook. This includes cookies from Amazon and every other advertisers and they are called Third Party Cookies.
Another great example of third party cookies are Google Analytics cookies. Google Analytics is a Freemium service offered by Google which tracks the traffic and user activity of websites. Say, I have enabled Google Analytics for my blog, then I am literally allowing Google to analyse all the users and traffic that are coming to my blog. Probably, by now, you have guessed that this is done with the help of cookies, don’t you? Yes, that’s right. You might have noticed the cookies __utma, __utmc, __ga_cookie, etc in various websites. These are Google Analytics cookies. Each of them carry various data collected from us, our browsing history.
The answer is a yes and no. It depends on which cookie you are deleting. If you delete a session cookie when you are logged into Facebook, it can no longer work. Facebook will immediately log out you. But you are free to delete the third-party tracking cookies, I highly recommend it.
Tracking cookies can store anything they want. For example, it can collect your browsing history, your mouse movements, your keystrokes and what more. If you are suffering from a sexual disease and you Googled for the treatment, those cookies will take a note of it. And the very next day some app suggest you a product for penis enlargement. I’m not kidding, they can collect any of your data by analysing your location, websites that you browse, your healthcare data, so and so and create a well crafted profile about you. Who knows which way the tech giants processing these data? Recent researches proves that Artificial Intelligence can even predict your death. Pretty scary right?
You can deny tracking cookies by using adblocker browser extensions such as uBlock Origin. uBlock will effectively block unwanted third party junks from accessing your personal data. If you are interested in more privacy related stuff, I highly recommend reading our partner blog anonymity.guru.
We have talked a lot. I hope the basic cookie concept is clear. But we never speak anything about security of cookies. Cookies are the files containing your Facebook information. Have you ever thought what happens to your Facebook if someone else(say a hacker) gets access to that information? The third blog post deals with the security related flags of a cookie. Have a look and please keep coming.
What is this web security checklist? Here is a curated web security checklist for developers… Read More
In the last part of the blog series we have seen the history of internet… Read More
Welcome back budding pen-testers. :) In the first part of the blog series we have… Read More