Join 3,433 readers in helping fund MetaFilter (Hide)


Do you have a 'Super Cookie' ??? Another m$ screw-up...
January 17, 2002 6:52 AM   Subscribe

Do you have a 'Super Cookie' ??? Another m$ screw-up... Very interesting since wmp just minutes before tried to access the net through my firewall that is set to block all except a few programs. If you're running mozilla his demo doesn't hit but using msie it sures pulls up the ID# of my wmp... time to tighten things down again!!! Another blasted waste of time to fix what m$ should not have let out in the first place!!! Link via... Inflight Correction
posted by tilt (13 comments total)

 
This is not a mistake. It is an intentional design feature. Surprised? You shouldn't be.
posted by yesster at 7:06 AM on January 17, 2002


>intentional design feature. Surprised?

Actually I'm not, I don't use cookies on any of my sites (I used to) but I sure wish such a feature wasn't enabled by default! I only use msie and netscape to verify page designs/scripts, mozilla is my preferred browser, and this just reinforces that choice!!!
posted by tilt at 7:24 AM on January 17, 2002


Opera 6 and NN4.7 both return the key.

Why do we have to continually deal with this kind of crap from Microsoft?!

-joe
posted by jlachapell at 7:41 AM on January 17, 2002


"In newer versions of WMP, there is an option on the "Tools | Options" Menu called "Allow Internet sites to uniquely identify your player". If this option is manually turned off, SuperCookies will also be disabled because Internet Explorer will generate a new player ID number each IE session"

Mine wasn't even on anyway.
posted by yupislyr at 7:44 AM on January 17, 2002


It seems to be off by default in Win XP. I'm using XP Pro with Opera 6 and it didn't pull the key.
posted by holycola at 7:54 AM on January 17, 2002


Much as I enjoy microsoft-bashing, this particular problem sounds unintentional. Sure they built a unique ID into every copy of windows media player, but the idea of using that ID to track usage of a different piece of software altogether -- the web browser -- is rather subtle (whoever thought of this first is a pretty smart, er, cookie.)

One can certainly question why they felt the media player itself needed a unique ID, though.
posted by ook at 8:30 AM on January 17, 2002


Smells like a fetal int-prop rights managment mechanism to me...
posted by BentPenguin at 8:54 AM on January 17, 2002


On by default in XP Professional, just received on my new computer yesterday....

And, when I turn that option off, they still get the key....so, is the supercookie really off? Who can say?
posted by dwivian at 9:16 AM on January 17, 2002


dwivian, do you get the same key when the ID option is off, or a randomly generated one each time you restart your browser?

(can't test this myself; I'm using OSX. There, I said it.)
posted by ook at 9:35 AM on January 17, 2002


From today's news Gates makes security top focus

The good - "Gates called on employees to make a fundamental change in the way they think about developing products, emphasizing security over new functions."

And the bad (?) - "....Issuing a statement doesn't solve any problems,'' said Bruce Schneier, chief technology officer at Counterpane Internet Security in San Jose. Microsoft is notorious for treating security as a public-relations problem. "
posted by lucien at 10:20 AM on January 17, 2002


Doesn't work for me- XP Pro. See, every time I go to the page I get a prompt as to whether I want to run an ActiveX control, and not trusting the webpage enough, I say no. And then it doesn't even get to run its little activex control. Funny what a simple securing of your browser can do, you open-legged web-browsing sluts. :) Oh, and the option was turned off by me a long time ago in WMP anyway.

I'm not saying this isn't an MS snafu, but do Linux folk or UNIX folk laugh at novice users who use those OSes and don't secure them? MS shouldn't leave their OSes so open by default with these little backdoors, but I'm pretty sure the WMP cookie is not much different than the realplayer cookie that's been around since early versions.
posted by hincandenza at 10:24 AM on January 17, 2002


Usually I go through obvious options and turn things like this off immediately. Mine has been off since I upgraded WMP, I reckon, and the last 12 characters do seem randomly generated with every browser restart.

Can anyone deconstruct the first part of the cookie and see what --if anything-- is being revealed by the first 20 characters? I'm guessing os, browser, and version id, maybe, but you never know.

-umberto
posted by umberto at 11:01 AM on January 17, 2002


Russ Cooper has a good explanatory post on NTBugTraq about this. Summary: it's not a bug, and if you turn off the option to uniquely identify yourself, then WMP returns a randomly-generated GUID, not the one that is unique to your copy of WMP.

And thanks to hincandenza for pointing out that Real has had this same unique ID around for a long, long time in their media player.

Gawd, people are so apt to jump onto a bandwagon...
posted by delfuego at 11:28 AM on January 17, 2002


« Older The DJ's on your local radio station may not be li...  |  David Duchovny why won't you l... Newer »


This thread has been archived and is closed to new comments