Internet Explorer SuperCookies bypass P3P and cookie controls
Richard M. Smith (email@example.com)
January 16, 2002 (Updated Sept. 23, 2003)
There is a significant privacy problem with Internet Explorer
because of a design flaw in the Windows Media Player (WMP). Using
unique ID number of the Windows Media Player belonging
to a Web site visitor. This ID number can then be used just
like a cookie by Web sites to track a user's travels around
However this ID number becomes a SuperCookie because it can be used
by Web sites to bypass all of the new privacy and P3P protections
that Microsoft has added to Internet Explorer 6 (IE6). IE6 ships
today with all Windows XP systems. SuperCookies also work in all
previous versions of Internet Explorer with all older versions of
Some of the other features of SuperCookies include:
After this article appeared, the SuperCookie problem was fixed by Microsoft in version 9
of the Windows Media Player by having all computers return the same cookie value of
- All Web sites get the same ID number so they
can easily exchange information about a user
much like third-party cookies are used today
by ad networks and Internet marketing companies.
- Even if someone is using a cookie blocker add-in,
SuperCookies will still work.
- If a user has deleted cookies from his or her computer
to stop tracking, a Web site can restore an
old cookie value from this ID number. Once the
cookie value has been restored, new tracking data
can be combined with tracking data that was
previously collected by the Web site.
- To block SuperCookies requires changing an obscure
option in WMP which is barely documented.
I've set up a simple demo page that shows the
When the Windows Media Player is installed on a computer, a
unique ID number in the form of a GUID is assigned to the player.
This ID number is stored in the Windows registry. The ActiveX
Program to retrieve the ID number using the property "ClientID".
easy it is to retrieve the ID number:
ID=WMP WIDTH=1 HEIGHT=1>
be sent back to a Web site either by appending it to the URL
of a Web bug or storing it in regular Web browser cookie.
The actual WMP player ID number is stored in the Windows registry in these keys:
If one of these keys is manually changed using REGEDIT, the demo page will show the new ID number. However, leaving the keys changed may break the Digital Rights Management (DRM) features of WMP.
string value "UniqueID"
string value "UniqueID"
In newer versions of WMP, there is an option on the "Tools | Options" Menu called "Allow Internet sites to uniquely identify your player". If this option is manually turned off, SuperCookies will also be
disabled because Internet Explorer will generate a new player ID number each IE session.
SuperCookies also work in Netscape Navigator if the WMP plugin has been installed.
Recommendations for Microsoft
I originally notified Microsoft of this problem in
March 2001. At that time there was no method of turning
message to Microsoft, they updated WMP to provide per-session player ID numbers when the WMP option "Allow Internet sites to uniquely identify your player" is unchecked. This update is described in this Microsoft security
However, I do not believe that this is a workable solution
for the majority of Windows users. Asking them to change
an obscure WMP setting to fix a privacy leak in Internet Explorer is not a good policy. Instead, I believe, that the ClientID property in the WMP ActiveX should be permanently disabled by having it return an ID number of zero for all players.
Thanks to the many folks on the BugTraq and NTBugTraq mailing lists for helping sort out all of the technical details of this issue. Russ Cooper, moderator of NTBugTraq, was particular helpful. Andrew Schulman and
David Martin also provided very useful feedback on the initial versions of this advisory.