Hulu and MSN using supercookies to track users

Users of Hulu and MSN, among others, may have fallen victim to a new wave of powerful cookies collecting their personal data. That's according to a new report publicised by the Wall Street Journal, which claims such websites are leaving cookies that persist even after the user has "cleared" their cookies. The "supercookie" is able to recreate a profile of the user, information valuable to advertising firms for research and targeting purposes. Supercookies were discovered to be in use on several websites by researchers from University of California at Berkeley and Stanford University.

Although the cookies are legal, both Microsoft and Hulu have decided to take action against them. A company called Kissmetrics was found to be responsible for Hulu's cookies, and when contacted by WSJ stated that they were planning to stop using them. On the other hand, Microsoft claimed they were unaware of the practices employed, and proceeded to remove the offending code.

Supercookies have a number of ways of bypassing the "clear cookies" system. Using Flash or HTML5, the cookie can instead reside in a local content cache. To get rid of them, Windows users can try CCleaner, a new version of which was released less than a month ago. Similar cleaners also exist for the Mac and Linux platforms.

Report a problem with article
Previous Story

Proposed Google-Motorola merger subject of new lawsuit

Next Story

Rumor: Blackberry Music service coming soon

22 Comments

Commenting is disabled on this article.

So many questions from this...

Super Cookies have been around for a long time, and Flash is just one to implement them. However, if we are going to pick on Flash for a moment, why does Flash INSIST on using its own location for caching Flash content? Even if it wants to maintain its own cache, it could do so in any of the standard browser cache locations.

Failure - Flash/Adobe


Other offenders: JAVA, ETags, HTML5 Canvas crap, etc...

The Etag stuff is implemented by the server, and requires that IIS or Apache have this functionality enabled and tracks back to the server.

Java - Fail Sun/Java

HTML5 Canvas tricks are when users have allowed crap to use the HTML5 canvas for rendering that were outside the original HTML5 specifications. The Canvas is essentially a way to get non-HTML5 content into a page using HTML5 specs. So it is the content via the HTML5 Canvas that is using this as a hole to hide cached info.

Failure - HTML5/Apple/Google/Firefox (These are the the companies that created HTML5 and/or use it in ways that are beyond simple rendering. For example WebGL that Google and Firefox like to brag about, that is a horrible security nightmare.)


Next question, which browser allow this to happen? Well all of them do with Flash and Java, and all of them again if the person has installed native code rendering via HTML5 like WebGL, etc.

The Sandbox of IE9 kills off the usability of most of these though, because getting 'read' access to even a cookie itself has to go through the broker engine. However, it fails in that it gives Flash and Java more access to the FS via the broker than it should. (Chrome just recently implmented more of an IE9 sandbox technique with brokers, but it also allows Flash and Java full access to crap - even the internally rendering Flash content.)


Next thought for the author?

Just because this is a WSJ news story, do you just repeat it, or do you find the Stanford research information and the follow ups? What would a journalist do, maybe a Google/Bing search at least, right?


The Microsoft/MSN super cookies are against MS policies, and were implemented by both 3rd parties ads, 3rd party content contributors and there were a few bits of old code using ETags on some Microsoft sites that were in place for site optimization/loading.

Microsoft removed them.

Hulu also removed theirs as well.

There are a few nefarious advertising companies that use this crap that have been getting attention.

What is really weird is that Google and other companies also were found to have 'high' use of super-cookies, but it was Microsoft and Hulu that got attention because they have STRICT policies against them.

Since Google is an advertising company and DOES NOT have policies against this crap, they didn't make news in the research.

Sadly, people will walk away from this thinking it was just Hulu and Microsoft and maybe the one advertising company that are/were bad...

Not clear technical details in the article on where exactly the "supercookies" were being stored. If they were plain text files in shell:Cookies, deleting cookies *SHOULD* delete all of them. If they were Flash cookies, the latest IE updates when clearing history also clear flash-related history. Or you could completely turn off Flash cookies from the newly introduced Flash control panel. If the "supercookies" were storing info in Index.dat, that's worrying as Index.dat is not as easily deletable.

xpclient said,
Not clear technical details in the article on where exactly the "supercookies" were being stored. If they were plain text files in shell:Cookies, deleting cookies *SHOULD* delete all of them. If they were Flash cookies, the latest IE updates when clearing history also clear flash-related history. Or you could completely turn off Flash cookies from the newly introduced Flash control panel. If the "supercookies" were storing info in Index.dat, that's worrying as Index.dat is not as easily deletable.

read a similar article about this on a dutch website few days ago about those supercookies, t hey arent flash cookies, they are HTML5 cookies, with some cache request, websites can place back cookies as they where even if they are deleted.

Am I the only one who doesn't care about cookies. Feel free to track my sporadic browsing use, its so inconsequential to me

Am I the only one who doesn't care about cookies. Feel free to track my sporadic browsing use, its so inconsequential to me

Such things should not be legal but hey the companies are doing it so it's legal only the users have no right in north america.

Supercookies? That's just another stupid loophole in the endless mess of "everyone wants to reinvent the web". I wouldn't doubt that this technique is already used by many other sites.

cralias said,
I wouldn't doubt that this technique is already used by many other sites.

It is. Flash cookies is old news. Still should not be legal.

I use Tor browser. CC is good but I've noticed Tracks eraser gets some things CC leaves behind.
ahhh, the interwebs... Security is just a state of mind...

Julius Caro said,
Neowin doesnt miss a chance to promote CCleaner, now, don't they?


And by the way, Flash DOES have an option to clear saved data.


yeah it might have an option, but the point is that an average user that selects the "clear cookies" option of their browser would assume that all the cookies are gone, not that they would also have to go into the flash settings (which aren't easily accessible) to clear the private data, therefore the "supercookie" would get left behind

Julius Caro said,
Neowin doesnt miss a chance to promote CCleaner, now, don't they?

How are not missing the chance? As if they have some motive.. I take it as a simple suggestion to readers..

Xenosion said,

How are not missing the chance? As if they have some motive.. I take it as a simple suggestion to readers..

Why wont they direct the readers to go to flash settings and hit the 'clear' button? I dont know if they have motive or not, but it's not the first time an article in the front page promotes the use of CC cleaner. I dont have anything against it per se, but the use of registry cleaners has always been a tricky deal.

Julius Caro said,

Why wont they direct the readers to go to flash settings and hit the 'clear' button? I dont know if they have motive or not, but it's not the first time an article in the front page promotes the use of CC cleaner. I dont have anything against it per se, but the use of registry cleaners has always been a tricky deal.


CCleaner is both a disk cleaner AND a registry cleaner. The disk cleaning portion is great, but the registry cleaner portion should be used with caution. Nowhere here is it suggested to use the registry cleaner, and that certainly wouldn't remove cookies.

And the reason it gets mentioned is it does a good job on such tasks and is free. What's wrong with that?

Julius Caro said,
Neowin doesnt miss a chance to promote CCleaner, now, don't they?


And by the way, Flash DOES have an option to clear saved data.

and what did you just do? ROFL Nice work man, rage on.

jupe said,


yeah it might have an option, but the point is that an average user that selects the "clear cookies" option of their browser would assume that all the cookies are gone, not that they would also have to go into the flash settings (which aren't easily accessible) to clear the private data, therefore the "supercookie" would get left behind


I'm one of those then... I did think that cookies where deleted when you selected cookie deletion in the browser... But I know that these kind of cookies won't go off that easily.

gigapixels said,

CCleaner is both a disk cleaner AND a registry cleaner. The disk cleaning portion is great, but the registry cleaner portion should be used with caution. Nowhere here is it suggested to use the registry cleaner, and that certainly wouldn't remove cookies.

And the reason it gets mentioned is it does a good job on such tasks and is free. What's wrong with that?

With the complexity of virtualization of software and compatibility, Registry Cleaners are a BIG NO NO on Vista and Windows 7. Microsoft has talked about this numerous times.

And it is a big deal if reader go install this software and run the registry cleaner portion of the software, as it could mess up user settings and how software operates on the computer. Recommending a product for a specific feature is great, but recommending a product that could cause harm.

The complexities of how software compatibility and virtualization work in Windows Vista and Windows 7 are a deep enough subject to fill a semester of research work at MIT, and yet people are letting an automated program that is built off of the premise of the Win9x OS model that didn't properly manage registry orphans is just insane.


thenetavenger said,

With the complexity of virtualization of software and compatibility, Registry Cleaners are a BIG NO NO on Vista and Windows 7. Microsoft has talked about this numerous times.

And it is a big deal if reader go install this software and run the registry cleaner portion of the software, as it could mess up user settings and how software operates on the computer. Recommending a product for a specific feature is great, but recommending a product that could cause harm.

The complexities of how software compatibility and virtualization work in Windows Vista and Windows 7 are a deep enough subject to fill a semester of research work at MIT, and yet people are letting an automated program that is built off of the premise of the Win9x OS model that didn't properly manage registry orphans is just insane.


Dang cookies!!

I use CC registry cleaning religiously on Windows 7. Never had an issue with it.