October 27, 2015Over the past decade, there’s been a privacy arms race between unscrupulous website operators and browser makers. The former wield an ever-changing lineup of so-called zombie cookies that can’t be easily deleted and attacks that sniff thousands of previously visited sites, while browser makers aim to prevent such privacy invasions by closing the design weaknesses that make them possible. Almost as soon as one hole is closed, hackers find a new one.
Over the weekend, a researcher demonstrated two unpatched weaknesses that Web masters can exploit to track millions of people who visit their sites. Taken together, the attacks allow websites to compile a list of previously visited domains, even when users have flushed their browsing history, and to tag visitors with a tracking cookie that will persist even after users have deleted all normal cookies. Ironically, the techniques abuse relatively new security features that are already built into Google Chrome and Mozilla Firefox and that may make their way into other mainstream browsers in the future.