Seems Edge and IE have a cookie leakage bug

NovHak · 26 Jun 2016

Hi all,

I just tried this page that tests browsers' cookie management and got a cookie leakage bug report. In other terms, third party cookie blocking policies can be circumvented on these browsers.

I was considering trying Edge again but it didn't last long...

For those who don't know, third party cookies are a means of tracking people's browsing habits, such as the sites they visit, things they like, buy, etc.

While there are tools that are supposed to specifically block such cookies, they mostly rely on people maintaining an up-to-date list of such cookies. I prefer the more radical way of simply rejecting all third party cookies. However, some websites react badly to this, in which case either per-site or per-cookie exceptions can be created, or for the purists a new private browser session with all cookies authorised can be set up for this site only. Private here meaning that it doesn't share cookies or temporary files with any other session, and everything related to the session is deleted upon termination.

Mystere · 26 Jun 2016

Did you turn off third party cookies in Internet Options? You don't say what you did...

EDIT:

I just tested this, and found the "leakage" you mention for Icon, object, and embed links. First, I take anything from Steve Gibson with a huge grain of salt. He's often wrong about security issues, and experts routinely debunk his claims (or they used to, he doesn't even show up on real security researchers radar anymore).

Secondly, this is almost certainly a misunderstanding of the compatibility functions of IE and Edge. More than likely, he's "testing" in such a way that he's triggering a compatibility function that wouldn't occur in the "real world". If I recall correctly, IE8, other versions had this same compatibility result.

I think it works like this. If you set a third party cookie within the same browser context, then read It from the same context, it will succeed. This is a rather pointless test, because a real attacker would not be doing a write and a read in the same context as that doesn't achieve what they're looking for. You would need to write the cookie, and read it from a totally different context.

The problem is that the way Gibson's site is designed, you can't test that. Reloading the page in a new context causes the cookies to be reissued, thus once again being in the same context.

I think this is a red herring dressed up as "sky is falling" scenario.

NovHak · 26 Jun 2016

Yes I did turn off third party cookies. I get this :

Seems Edge and IE have a cookie leakage bug-tpsc.png

and this :

Seems Edge and IE have a cookie leakage bug-tppc.png

I see what you mean about the same context check, however, assuming it's what happens, strictly speaking it doesn't comply with the "No third party cookies" setting.

Mystere · 26 Jun 2016

I'm sure one of the new extensions will help with this if you're that concerned about it.

Most people generally are not, and would prefer compatibility over constantly maintaining their cookie exceptions

Remember, Microsoft needs to maintain compatibility where other browsers do not. They can rely on users to "fall back" to IE (or Edge) if there is a compatibility issue. So it's only IE/Edge's compatibility that allows other browsers to be so bleeding edge.

NovHak · 27 Jun 2016

It's not really a problem if things are like you said. A third party cookie working only in the same browser context, and likely deleted when the session is closed, that seems just fine since it defeats tracking. However, I can't take your word on this since you're just making assumptions after all.

And you're probably right, most people don't care being tracked as long as they don't see the ads !