Tracking Users Via the Browser Cache

The New Acunetix V12 Engine


An interesting new twist on things, rather than using cookies to store information you can use perpetually cached files.

So clearing your cache and cookies isn’t enough, could be a privacy issue you say, indeed it could..

Clearing cookies may not be enough as you may think. Your browser’s cache is a valuable store of information. A JavaScript .js file resource which is generated dynamically when requested can have embedded a unique tracking ID and can live permanently in your browser’s cache when sent with the right HTTP cache-control headers. This JavaScript file can then be called by pages. The script is never re-requested, and hence keeps the unique ID, and it can call resources on the server-side to track you. They just need to associate this unique ID once with your account (when you login first time after the ID was created), and they can set cookies back again later and track you anyway. The result is that you can be tracked uniquely even past the point where you clear your cookies (i.e., as if you never cleared your cookies to generate fresh ones).

You can view a live demo here.

This is a demonstration of how a person’s web-browser can be tagged and tracked using a unique identifier which lives in the web browser’s cache for a very long time (using HTTP cache control headers and browsers’ use of conditional GET requests). This serves the same purpose as using a cookie to track people. However popular web browsers lack finer cache disposal controls (compared to cookie disposal), and this is something which needs to be looked into. No private information is collected in this example. It has been tested on Firefox, IE6, Konqueror and Epiphany. I don’t know about the IE7 versions or Safari.

Source: Mukund

Posted in: Privacy, Web Hacking

, ,


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


One Response to Tracking Users Via the Browser Cache

  1. jMs October 25, 2006 at 8:19 pm #

    Very very unique site and article here… thanx for info sharin with us….

    keep those stuff comin in