Why You Can Trust CNET Browser bug opens cookie files
A potential privacy hole on both Netscape's and Microsoft's browsers may be causing cookie files to give up users' data, such as passwords and postal addresses.
Web sites place software files known as cookies on visitors' hard drives to keep track of information such as passwords and past purchases. Normally, a Web site will have access only to the information it placed in these files.
Consumer.net owner Richard Smith was reviewing his server logs when he noticed some extraneous information. Once or twice a day, a few extra pieces of information that shouldn't have been there appeared. And every few weeks, specifically when visitors viewed the site with Communicator, the browser would yield a huge batch of data.
Smith has posted a Web page describing the problem and showing the files he unwittingly downloaded from his visitors.
Netscape said that it is working closely with Smith to try to duplicate the problem but that so far it has been unable to do so.
"If we can't duplicate it, we can't fix it, and if we can't duplicate it, it's not occurring with enough frequency that someone could manipulate it maliciously," a Netscape spokesperson said.
Microsoft said it too was looking into the matter and could not yet comment on it.
Smith's Consumer.net site primarily is devoted to consumer advocacy for telemarketing issues. But Smith links on a commission basis to two sites that sell privacy software that have anti-cookie features.
For its part, Netscape has fended off a number of privacy holes through which a malicious Web site operator could harvest information from a visitor's cookies, cache, browsing history, and file directory. But in these instances, it required an active effort on the part of the Web site operator to collect the information. In the case Smith describes, the information is simply showing up in his logs.
Cookies have been a frequent source of contention between privacy advocates and marketers. The U.S. government went so far as to take sides on the issue last year, issuing a report that said concern over the technology was overblown.
But arguments in support of cookies have rested on the presumption that the files are performing properly and that only a site that places a cookie can obtain the files related to it. Glitches like the one Smith describes add weight to arguments that the technology is prone to abuse.
"I think this points out that everyone should be aware that they have a file that contains this cookie information, and should regularly check it and make sure that they're comfortable with the information they find there," said Shari Steele, director of legal services at the Electronic Frontier Foundation.
"Furthermore, Microsoft and Netscape are responsible for making sure that the information in the cookie is not transmitted to the wrong people," Steele said. "I might be very comfortable giving certain information to one Web site, for instance a credit card to Amazon.com, but I wouldn't want it going out to others."