Microsoft 'supercookie' resurrected cleared cookies: Stanford research

Share this content:

Microsoft Corp. ran a “supercookie” on several of its domains that was able to access a browser's history regardless of whether the browser's cookies had been cleared, according to research from the Stanford University Security Laboratory. 

A supercookie is a tracking mechanism that is not deleted when a consumer clears cookies from a browser. The Stanford researchers found that Microsoft had two supercookies in place, one of which was able to respawn cleared identifier cookies. The other supercookie featured a mechanism that contained the contents of a defunct identifier cookie.

Jonathan Mayer, a member of the Stanford team, said via email that the supercookies could help Microsoft identify a browser and connect browser interactions before and after its cookies had been cleared.

Mayer said his team discovered Microsoft's supercookies on July 28 and notified the company “within six hours of discovering and confirming the cache and ETag supercookies.”

“We worked with Microsoft over the following week to learn more and assist them in fixing the issues we uncovered,” said Mayer.

The researchers found the supercookie on several Microsoft domains, including and Microsoft's advertising network Atlas Solutions also featured the supercookie.

Mayer said that to delete Microsoft's supercookies, a consumer would have to clear both their cookies and browser cache.

A Microsoft spokesperson said via email that the company disabled the “legacy code” that enabled the cookie behavior observed by the researchers. Data collected through the supercookie was not shared outside of Microsoft, said the spokesperson.

However, Microsoft did not respond to questions about the timing of the disabling or the researchers' observation that Microsoft's online behavioral advertising opt-out mechanism had been invisible on Apple's Safari and Google's Chrome browsers.

Mayer said the researchers noticed the mechanism's invisibility on August 1. “I believe Microsoft only fixed the issue in the past few days,” he said.

Last month, the Stanford researchers said a number of advertising industry firms violated their own privacy policies by continuing to track consumers' online behavior after they opted out of receiving targeted ads.


Next Article in Marketing Automation

Sign up to our newsletters

Company of the Week

Since 1985, Melissa has helped thousands of companies clean, correct and complete contact data to better target and communicate with their customers. We offer a full spectrum of data quality solutions, including global address, phone, email, and name validation, identify verification - available for batch or real-time processes, in the Cloud or on-premise. Our service bureau provides dedupe, email/phone append and geographic/demographic append services for better targeting and insight. For direct mailers, Melissa offers easy-to-use address management/postal software, list hygiene services and 100s of specialty mailing lists - all with competitive pricing and excellent customer service.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above