Comments on: Comments on 13934

Post number 13934

tilt — Thu, 17 Jan 2002 06:52:07 -0800

Do you have a 'Super Cookie' ??? Another m$ screw-up... Very interesting since wmp just minutes before tried to access the net through my firewall that is set to block all except a few programs. If you're running mozilla his demo doesn't hit but using msie it sures pulls up the ID# of my wmp... time to tighten things down again!!! Another blasted waste of time to fix what m$ should not have let out in the first place!!! Link via... Inflight Correction

By: yesster

yesster — Thu, 17 Jan 2002 07:06:36 -0800

This is not a mistake. It is an intentional design feature. Surprised? You shouldn't be.

By: tilt

tilt — Thu, 17 Jan 2002 07:24:37 -0800

>intentional design feature. Surprised? Actually I'm not, I don't use cookies on any of my sites (I used to) but I sure wish such a feature wasn't enabled by default! I only use msie and netscape to verify page designs/scripts, mozilla is my preferred browser, and this just reinforces that choice!!!

By: jlachapell

jlachapell — Thu, 17 Jan 2002 07:41:13 -0800

Opera 6 and NN4.7 both return the key. Why do we have to continually deal with this kind of crap from Microsoft?! -joe

By: yupislyr

yupislyr — Thu, 17 Jan 2002 07:44:19 -0800

"In newer versions of WMP, there is an option on the "Tools | Options" Menu called "Allow Internet sites to uniquely identify your player". If this option is manually turned off, SuperCookies will also be disabled because Internet Explorer will generate a new player ID number each IE session" Mine wasn't even on anyway.

By: holycola

holycola — Thu, 17 Jan 2002 07:54:27 -0800

It seems to be off by default in Win XP. I'm using XP Pro with Opera 6 and it didn't pull the key.

By: ook

ook — Thu, 17 Jan 2002 08:30:31 -0800

Much as I enjoy microsoft-bashing, this particular problem sounds unintentional. Sure they built a unique ID into every copy of windows media player, but the idea of using that ID to track usage of a different piece of software altogether -- the web browser -- is rather subtle (whoever thought of this first is a pretty smart, er, cookie.) One can certainly question why they felt the media player itself needed a unique ID, though.

By: BentPenguin

BentPenguin — Thu, 17 Jan 2002 08:54:50 -0800

Smells like a fetal int-prop rights managment mechanism to me...

By: dwivian

dwivian — Thu, 17 Jan 2002 09:16:19 -0800

On by default in XP Professional, just received on my new computer yesterday.... And, when I turn that option off, they still get the key....so, is the supercookie really off? Who can say?

By: ook

ook — Thu, 17 Jan 2002 09:35:56 -0800

dwivian, do you get the same key when the ID option is off, or a randomly generated one each time you restart your browser? (can't test this myself; I'm using OSX. There, I said it.)

By: lucien

lucien — Thu, 17 Jan 2002 10:20:59 -0800

From today's news Gates makes security top focus The good - "Gates called on employees to make a fundamental change in the way they think about developing products, emphasizing security over new functions." And the bad (?) - "....Issuing a statement doesn't solve any problems,'' said Bruce Schneier, chief technology officer at Counterpane Internet Security in San Jose. Microsoft is notorious for treating security as a public-relations problem. "

By: hincandenza

hincandenza — Thu, 17 Jan 2002 10:24:08 -0800

Doesn't work for me- XP Pro. See, every time I go to the page I get a prompt as to whether I want to run an ActiveX control, and not trusting the webpage enough, I say no. And then it doesn't even get to run its little activex control. Funny what a simple securing of your browser can do, you open-legged web-browsing sluts. :) Oh, and the option was turned off by me a long time ago in WMP anyway. I'm not saying this isn't an MS snafu, but do Linux folk or UNIX folk laugh at novice users who use those OSes and don't secure them? MS shouldn't leave their OSes so open by default with these little backdoors, but I'm pretty sure the WMP cookie is not much different than the realplayer cookie that's been around since early versions.

By: umberto

umberto — Thu, 17 Jan 2002 11:01:39 -0800

Usually I go through obvious options and turn things like this off immediately. Mine has been off since I upgraded WMP, I reckon, and the last 12 characters do seem randomly generated with every browser restart. Can anyone deconstruct the first part of the cookie and see what --if anything-- is being revealed by the first 20 characters? I'm guessing os, browser, and version id, maybe, but you never know. -umberto

By: delfuego

delfuego — Thu, 17 Jan 2002 11:28:12 -0800

Russ Cooper has a good explanatory post on NTBugTraq about this. Summary: it's not a bug, and if you turn off the option to uniquely identify yourself, then WMP returns a randomly-generated GUID, not the one that is unique to your copy of WMP. And thanks to hincandenza for pointing out that Real has had this same unique ID around for a long, long time in their media player. Gawd, people are so apt to jump onto a bandwagon...