VPN Articles and News

New HSTS Supercookies Can Track Your Private Browsing Activities

By Paul Liu
Monday, July 6th, 2015

A newly discovered security flaw allows Supercookies to track your online sessions even if you are browsing in Private or Incognito mode in the HTTP Strict Transport Security (HSTS). The flaw was discovered by Sam Greenhalgh who operates RadicalResearch, a technology consultancy organization based in UK. While the flaw affects all browsers and operating systems, it is especially dangerous for Apple devices since currently it is not possible to delete such Supercookies when you are browsing web through a Safari browser on an Apple device.

Cookies are used by almost all websites to store browsing preferences on users’ machines through small text files. They are also used by many service providers to store login/password credentials so that users don’t have to log into their sites again and again. While cookies can pose a security threat, they are easy to delete in almost every browser. Most modern browsers also offer a private or Incognito browsing mode that allows users to surf the web privately without leaving a trace of their online sessions. This is especially useful for people who are concerned about their privacy or those who access the internet through a shared computer.

Sam discovered that a flaw present in the HTTP Strict Transport Security, an essential security feature which guarantees that users can connect only via HTTPS mode, allows web service providers to bypass the security offered by the Private browsing mode. HSTS relies on a binary flag value to identify which connections should be made through HTTPS and also stores it on the browser to ensure that future visits to the site are always encrypted. However, the fact that the flag value could be carried over to the Private browsing mode as well means that it can be used as a Supercookie that can track your browsing activities even when you are using the Incognito mode.

Sam also developed a proof of concept (POC) site to show how the whole thing works. People visiting the POC site are first asked to do so in the normal browsing mode when a unique tracking ID is set on their browsers. After the tracking ID has been set, people are asked to switch to Private mode without deleting their cookies. The Tracking ID then acts like a Supercookie which can be read by service providers to track your browsing sessions even when you think that you are protected by the Incognito mode.

Although the issue affects almost all browsers, it is especially dangerous on Safari browsers running on Apple devices. While it is easy to flush such Supercookies just by clearing your browsing history on Chrome and Firefox browsers, Safari offers no such facility. Firefox has fixed the issue by issuing a security update which prevents such Supercookies from carrying over to the Private Browsing mode. However, for Apple users, the issue is far more serious since the Supercookie not only resides on the Safari browser, it also gets synced across multiple devices through iCloud. As of now, the issue doesn’t affect Internet Explorer users since IE doesn’t support HSTS.