Cookiegate

Jonathan Mayer, a diligent researcher, discovered that Google is bypassing Safari’s third-party cookie settings. This has put Google in a bit of hot water, since this seems like a clear-cut case of ignoring how users want their content to be managed.

But the problem actually lies with Safari, which has known flaws in its security model for how it manages cookies. Once a site sets cookies, Safari will grant access to those cookies, regardless of changes to your cookie security settings.

This is very easy to demonstrate. Make sure that cookies are enabled in Safari, and log in to Facebook. Once logged in, go to your privacy settings and block ALL cookies. Close the window, open a new one, and navigate back to Facebook. You’ll see that you’re still logged in.

Now try this same trick with Firefox. You’ll find that as soon as you disable cookies, Facebook logs you out, because Firefox denies Facebook access to the cookie immediately.

As for Google’s (and others’) work-arounds to Safari’s active cookie policy, these exploits have been well documented for over a year, and totally ignored by Apple.

If you’d like to experiment, I’ve set up a test page: cookietest.html

This page uses the embedded buttons for common social networks, every one of which relies to some degree on being able to post and access cookies on your computer. Try visiting the page with Safari and your other browsers and see how they manage cookies depending on your settings. Every single social plugin will load and operate properly if Safari has logged in to the individual sites before visiting the page, even if you subsequently deny third party cookies. Chrome and Firefox work properly, and deny access to these cookies as soon as you set your preference to block them, whether or not they’ve already been set.

There is another odd behavior which is that Safari will let sites set cookies on the initial visit, even with cookies blocked. These cookies seem to be inaccessible to the site that set them, but the cookies are still stored. Very odd behavior.

Apple has a pretty poor track record in keeping up with security problems, especially in Safari. As much as Google may be at fault here for using this exploit, Apple’s cookie implementation is sub-par, and shows that Apple cares a lot less about their users’ privacy than they claim.

Twitter, Facebook

Written on February 24, 2012