Dictionary

Evercookie

What Is an Evercookie?

Evercookie, sometimes referred to as a supercookie, is a persistent web browser cookie technology deployed by websites to retain and reproduce cookies that have been manually deleted or altered by a user. 

As a result, the user can’t delete these browser cookies in the usual way, and their web browser continues to share the information they contain with the website – the cookie hash

Cookies are small text files created when visiting a domain for the first time, to record how the user interacts with the site. For the average user, their existence will only be noticeable when a website greets them by name or remembers their preferences, but for a low-stakes fraudster attempting to, say, create many different accounts for a matched betting operation, they can be an obvious obstacle. 

An evercookie is programmed to auto-propagate, storing its data in various locations in a way that makes it very difficult to get rid of. It has been used by malicious actors of various types, as we will see.

Who Created the Evercookie and Why?

Evercookie is an open source project developed by American security researcher Samy Kamkar, first published on his GitHub page in 2010. On release, it was described by Kamkar to be a demonstration of the potential security flaws in websites that employ some sort of cookie respawning application. 

Web security has historically been a push-and-pull between users’ privacy concerns and using harvested data to create a safe and profitable commercial environment. With this struggle in mind, major web browsers offer their users the ability to both delete and refuse cookies, providing end-users with more control over their data while simultaneously diminishing a major line of website security.

As users increasingly use those options to delete and bypass cookies, Evercookie was developed to consistently track a user through the controls offered by the web browser. In web security terms, Evercookie prevents a would-be fraudster from simply deleting or refusing the cookies that would track their malicious behavior.

In personal privacy terms, however, it also presents a conflict with existing GDPR legislation, which demands the end-user give explicit consent as to whether or not a cookie is accepted. 

How Does Evercookie Work?

The name Evercookie is something of a misnomer, insofar as it is not an actual cookie but rather a suite of JavaScript code that respawns several cookies. 

The process works like this: 

  1. When a user visits a website that employs an evercookie or a supercookie-like API, a cookie is created.
  2. Redundant copies of the cookie, as well as portions of the user’s information, are stored in up to 17 other places available in the web browser, some of which are related to standard anti-fraud practices, like browser fingerprinting
  3. The end-user deletes the entire cookie, or alters data in the cookie text file.
  4. When the device attempts to access the deleted or altered cookie file, evercookie compares the data to the redundant copies, then recreates the authentic cookie from the other available data sources.
evercookie supercookie

Are There Different Kinds of Evercookies?

When evercookie was created, it was meant to be an intellectual exercise to show how unscrupulous data-tracking could exist on the average web browser. It is not a brand or product per se. 

Today, there are similar JavaScript APIs that are based on Samy Kamkar’s original evercookie code. These might be referred to as:

  • supercookies
  • persistent cookies
  • forever cookies
  • zombie cookies

All of these APIs will attempt to utilize all or some of the 17 areas of a web browser where partial user data might be stored in order to recreate altered cookies. The resulting code will be similar.

Should You Worry About Evercookies?

Regardless of whether or not you are approaching evercookie as an individual or a business, the short answer is: yes, it is concerning.

The cookies being respawned aren’t inherently malicious. In reality, they probably make your browsing experience smoother. The practice of cookie-respawning, however, has been determined to violate end-users’ privacy rights, with the legal culpability belonging to the company. 

In 2011, a team at UC Berkeley discovered the presence of a cookie-respawning application similar to evercookie on the site of KISSMetrics, a company offering marketing analytics.

This website was in the employ of major platforms, including Hulu and Spotify. Less than a day after the Berkeley team published their findings, both those websites suspended their employment of KISSMetrics and amended their privacy policies, but not before two lawsuits were filed against KISSMetrics itself.

Beyond this real-life example featured in Wired magazine, any malicious use of cookies can be made much worse if these respawning cookies are persistent. This includes uses such as:

  • malicious tracking cookies 
  • cookie stuffing 
  • easier for hackers to hijack persistent cookies

Can You Delete an Evercookie? Can It Be Killed?

Evercookie’s driving characteristic is that it creates persistence. Thus, once hosted on a local device, it can be very difficult to remove. 

Being in the habit of regularly clearing the cookie cache in your web browser’s settings is a basic part of data security. This may occasionally cause your web pages to load more slowly as new cookies are generated, and you may find yourself re-entering data that was previously autofilled.

Antivirus software on your device will certainly have a scan to check for malicious tracking cookies stored on your computer. The more privacy-minded might also consider disabling cookies on your browsers, which may come with a some inconveniences, like videos not remembering where you left off watching. 

If you’re concerned about potential privacy breaches from a suspected cookie respawner on your device, the best course of action is to research an application specifically aimed at evercookie, such as Anonymizer Nevercookie for Firefox. Tools like this complement deletion of a cookie by preventing evercookie-type APIs from respawning them.

How Browser Fingerprinting Can Help

Learn how the uniqueness of browser setups gives you a fighting chance against fraudsters, working behind the scenes to detect suspicious actors.

Read More Here