Windows 10: Seems Edge and IE have a cookie leakage bug

  1. Posts : 122
    Windows 10 Professional x64
       26 Jun 2016 #1

    Seems Edge and IE have a cookie leakage bug

    Hi all,

    I just tried this page that tests browsers' cookie management and got a cookie leakage bug report. In other terms, third party cookie blocking policies can be circumvented on these browsers.

    I was considering trying Edge again but it didn't last long...

    For those who don't know, third party cookies are a means of tracking people's browsing habits, such as the sites they visit, things they like, buy, etc.

    While there are tools that are supposed to specifically block such cookies, they mostly rely on people maintaining an up-to-date list of such cookies. I prefer the more radical way of simply rejecting all third party cookies. However, some websites react badly to this, in which case either per-site or per-cookie exceptions can be created, or for the purists a new private browser session with all cookies authorised can be set up for this site only. Private here meaning that it doesn't share cookies or temporary files with any other session, and everything related to the session is deleted upon termination.
      My ComputerSystem Spec

  2.    26 Jun 2016 #2

    Did you turn off third party cookies in Internet Options? You don't say what you did...


    I just tested this, and found the "leakage" you mention for Icon, object, and embed links. First, I take anything from Steve Gibson with a huge grain of salt. He's often wrong about security issues, and experts routinely debunk his claims (or they used to, he doesn't even show up on real security researchers radar anymore).

    Secondly, this is almost certainly a misunderstanding of the compatibility functions of IE and Edge. More than likely, he's "testing" in such a way that he's triggering a compatibility function that wouldn't occur in the "real world". If I recall correctly, IE8, other versions had this same compatibility result.

    I think it works like this. If you set a third party cookie within the same browser context, then read It from the same context, it will succeed. This is a rather pointless test, because a real attacker would not be doing a write and a read in the same context as that doesn't achieve what they're looking for. You would need to write the cookie, and read it from a totally different context.

    The problem is that the way Gibson's site is designed, you can't test that. Reloading the page in a new context causes the cookies to be reissued, thus once again being in the same context.

    I think this is a red herring dressed up as "sky is falling" scenario.
    Last edited by Mystere; 26 Jun 2016 at 22:11.
      My ComputerSystem Spec

  3. Posts : 122
    Windows 10 Professional x64
    Thread Starter
       26 Jun 2016 #3

    Yes I did turn off third party cookies. I get this : Click image for larger version. 

Name:	tpsc.PNG 
Views:	21 
Size:	8.1 KB 
ID:	86970 and this : Click image for larger version. 

Name:	tppc.PNG 
Views:	21 
Size:	8.2 KB 
ID:	86971

    I see what you mean about the same context check, however, assuming it's what happens, strictly speaking it doesn't comply with the "No third party cookies" setting.
      My ComputerSystem Spec

  4.    26 Jun 2016 #4

    I'm sure one of the new extensions will help with this if you're that concerned about it.

    Most people generally are not, and would prefer compatibility over constantly maintaining their cookie exceptions

    Remember, Microsoft needs to maintain compatibility where other browsers do not. They can rely on users to "fall back" to IE (or Edge) if there is a compatibility issue. So it's only IE/Edge's compatibility that allows other browsers to be so bleeding edge.
      My ComputerSystem Spec

  5. Posts : 122
    Windows 10 Professional x64
    Thread Starter
       27 Jun 2016 #5

    It's not really a problem if things are like you said. A third party cookie working only in the same browser context, and likely deleted when the session is closed, that seems just fine since it defeats tracking. However, I can't take your word on this since you're just making assumptions after all.

    And you're probably right, most people don't care being tracked as long as they don't see the ads !
      My ComputerSystem Spec


Related Threads
Source: Debug Microsoft Edge from Sublime or VS Code with the new Edge Diagnostics Adapter | Microsoft Edge Dev Blog
Clickjacking Campaign Plays on European Cookie Law in AntiVirus, Firewalls and System Security
57535 Read more:
Since installing the November Windows 10 update (11/17/15) none of my favorites are being stored in the default Edge folder. While in Edge the favorites are available but when I go to the default folder they are not listed. Is there another...
I've found a few sites don't work well with Edge, and had to use IE to open them. Norton also warns that it is not set up to handle Egde yet compared to IE. So what's the purpose of Edge over IE? I'm struggling to see what it does better, even...
Cookie or Cream? in Chillout Room
When it comes to Oreos, many have different thoughts on which is the better half. Keep in mind that Oreos have been proven to be just as addictive if not more than heroin! I must admit that I prefer the cookie over the cream! :) -Chuck
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 23:33.
Find Us