Cookies - cookies
Almost every website knows when you last visited it. Websites keep you logged in and remind you to check out your shopping cart, and most users take this behavior for granted.
The magic of customization and personalization is possible thanks to Cookies. Cookies are small pieces of information that are stored on your device and sent with every request to a website to help identify you.
While the functionality of cookies can be useful in improving the security and availability of websites, there has been a long debate on the topic of tracking users. Most of the questions relate to the harassment of users around the Internet through cookies that are used for advertising, as well as how such information can be used by third-party companies for manipulation.
Since the advent of the ePrivacy directive and the GDPR, the subject of cookies has become a stumbling block in online privacy.
Over the past month while deleting Zoom (a company of Threatspike EDR), we found that Google Chrome cookies were repeatedly accessed during the deletion process:
It was highly suspicious. We decided to do a little research and see if this behavior is malicious.
We have done the following steps:
- Cleared cookie file
- Download Zoom
- We clicked zoom.us
- We went to different websites, including obscure ones
- Saved cookies
- Removed Zoom
- We saved the cookies again for comparison and to understand which specifically Zoom affects.
Some of the cookies were added when visiting the zoom.us site, and some when authorizing on the site.
This behavior is expected. But when we tried to uninstall the Zoom client from a Windows computer, we noticed some interesting behavior. The install.exe accesses and reads Chrome Cookies, including non-Zoom cookies.
After examining read operations, we wondered if Zoom only reads certain cookies from certain websites?
We repeated the steps above with different numbers of cookies and with different websites. The reason why Zoom reads the cookies of some pop star fan website or an Italian supermarket is hardly information theft. Based on our tests, the reading pattern is similar to a binary search for your own cookies.
However, we did find anomalous and interesting behavior during the deletion process by comparing cookies before and after. The installer.exe process writes new cookies:
Unexpired cookies (also known as session cookies) will be deleted when the browser is closed. But the NPS_0487a3ac_throttle, NPS_0487a3ac_last_seen, _zm_kms and _zm_everlogin_type cookies have an expiration date. The last entry has a period of 10 years:
Based on the name "everlogin", this entry determines if the user has used Zoom. And the fact that this record will be kept for 10 years after the app has been removed violates the ePrivacy directive:
All persistent cookies must have an expiration date written into their code, but their duration may vary. According to the Privacy Directive, they should not be stored for more than 12 months, but in practice they can remain on your device for much longer if you do not take action.
Tracking user activity on the Internet is not the worst thing in itself. However, as a general rule, users will not go into the details of the "Accept all cookies" button. Often, only on the conscience of the company to respect ePrivacy, GDPR or not.
Such findings cast doubt on the honesty of the use of personal data on the scale of the entire Internet and all kinds of services.
Source: habr.com