1.    26 Jun 2016 #1
    Join Date : Apr 2016
    Posts : 90
    Windows 10 Professional x64

    Seems Edge and IE have a cookie leakage bug

    Hi all,

    I just tried this page that tests browsers' cookie management and got a cookie leakage bug report. In other terms, third party cookie blocking policies can be circumvented on these browsers.

    I was considering trying Edge again but it didn't last long...

    For those who don't know, third party cookies are a means of tracking people's browsing habits, such as the sites they visit, things they like, buy, etc.

    While there are tools that are supposed to specifically block such cookies, they mostly rely on people maintaining an up-to-date list of such cookies. I prefer the more radical way of simply rejecting all third party cookies. However, some websites react badly to this, in which case either per-site or per-cookie exceptions can be created, or for the purists a new private browser session with all cookies authorised can be set up for this site only. Private here meaning that it doesn't share cookies or temporary files with any other session, and everything related to the session is deleted upon termination.
      My System SpecsSystem Spec

  2.    26 Jun 2016 #2
    Join Date : Sep 2014
    Posts : 2,888
    Windows 10 Pro

    Did you turn off third party cookies in Internet Options? You don't say what you did...


    I just tested this, and found the "leakage" you mention for Icon, object, and embed links. First, I take anything from Steve Gibson with a huge grain of salt. He's often wrong about security issues, and experts routinely debunk his claims (or they used to, he doesn't even show up on real security researchers radar anymore).

    Secondly, this is almost certainly a misunderstanding of the compatibility functions of IE and Edge. More than likely, he's "testing" in such a way that he's triggering a compatibility function that wouldn't occur in the "real world". If I recall correctly, IE8, other versions had this same compatibility result.

    I think it works like this. If you set a third party cookie within the same browser context, then read It from the same context, it will succeed. This is a rather pointless test, because a real attacker would not be doing a write and a read in the same context as that doesn't achieve what they're looking for. You would need to write the cookie, and read it from a totally different context.

    The problem is that the way Gibson's site is designed, you can't test that. Reloading the page in a new context causes the cookies to be reissued, thus once again being in the same context.

    I think this is a red herring dressed up as "sky is falling" scenario.
    Last edited by Mystere; 26 Jun 2016 at 22:11.
      My System SpecsSystem Spec

  3.    26 Jun 2016 #3
    Join Date : Apr 2016
    Posts : 90
    Windows 10 Professional x64

    Yes I did turn off third party cookies. I get this : Click image for larger version. 

Name:	tpsc.PNG 
Views:	20 
Size:	8.1 KB 
ID:	86970 and this : Click image for larger version. 

Name:	tppc.PNG 
Views:	20 
Size:	8.2 KB 
ID:	86971

    I see what you mean about the same context check, however, assuming it's what happens, strictly speaking it doesn't comply with the "No third party cookies" setting.
      My System SpecsSystem Spec

  4.    26 Jun 2016 #4
    Join Date : Sep 2014
    Posts : 2,888
    Windows 10 Pro

    I'm sure one of the new extensions will help with this if you're that concerned about it.

    Most people generally are not, and would prefer compatibility over constantly maintaining their cookie exceptions

    Remember, Microsoft needs to maintain compatibility where other browsers do not. They can rely on users to "fall back" to IE (or Edge) if there is a compatibility issue. So it's only IE/Edge's compatibility that allows other browsers to be so bleeding edge.
      My System SpecsSystem Spec

  5.    27 Jun 2016 #5
    Join Date : Apr 2016
    Posts : 90
    Windows 10 Professional x64

    It's not really a problem if things are like you said. A third party cookie working only in the same browser context, and likely deleted when the session is closed, that seems just fine since it defeats tracking. However, I can't take your word on this since you're just making assumptions after all.

    And you're probably right, most people don't care being tracked as long as they don't see the ads !
      My System SpecsSystem Spec


Similar Threads
Thread Forum
Debug Microsoft Edge with the new Edge Diagnostics Adaprter
Source: Debug Microsoft Edge from Sublime or VS Code with the new Edge Diagnostics Adapter | Microsoft Edge Dev Blog
Windows 10 News
Clickjacking Campaign Plays on European Cookie Law
57535 Read more: https://blog.malwarebytes.org/fraud-scam/2016/01/clickjacking-campaign-plays-on-european-cookie-law/
AntiVirus, Firewalls and System Security
Microsoft Edge Favorites not in default folder but availalbe in Edge
Since installing the November Windows 10 update (11/17/15) none of my favorites are being stored in the default Edge folder. While in Edge the favorites are available but when I go to the default folder they are not listed. Is there another...
Browsers and Email
Edge or IE? What more does Edge offer?
I've found a few sites don't work well with Edge, and had to use IE to open them. Norton also warns that it is not set up to handle Egde yet compared to IE. So what's the purpose of Edge over IE? I'm struggling to see what it does better, even...
Browsers and Email
Cookie or Cream?
When it comes to Oreos, many have different thoughts on which is the better half. Keep in mind that Oreos have been proven to be just as addictive if not more than heroin! I must admit that I prefer the cookie over the cream! :) -Chuck
Chillout Room
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 15:33.
Find Us
Twitter Facebook Google+

Windows 10 Forums