Jacques Mattheij

Technology, Coding and Business

Evercookies in the wild, Kia, Mazda, German & Polish Newspapers, Piracy Honeypots and more

Of all the privacy violating tracking methods on the web there are two that are particularly bad, the first one is called ‘evercookies’ for being particularly hard to get rid of, the other is called Browser Fingerprinting and is impossible to detect.

Evercookies are to regular browser cookies just as superglue is to cellotape. Evercookies work by storing cookies on your computer using a large number of different techniques and upon refresh re-creating all of the cookies if you have tried to delete them. An evercookie sent to your browser has a very high likelihood of remaining on your system until you re-install it from scratch. On a hunch, while doing the 1,000,000 homepage crawl I decided to see if anybody actually uses evercookies for their tracking rather than to just appreciate it as a neat proof-of-concept. The trigger for the evercookie detector is particularly naive, it simply checks for the presence of the word ‘evercookie’ in the URL since that’s the name of the script as originally distributed. I expected to see some activity, particularly in the lower regions of the toplist where less well known websites unconcerned with their public image and brand name damage when found out might engage in this practice.

Indeed, I found a bunch of those. But that’s not all that I found, I also found them on a couple of sites with high visibility and big brand names!

There are two main groups of evercookie using sites: those that have the evercookies on their main domain and those that have them indirectly by choosing the wrong partners to trust with their user’s browsers. Such rogue inclusions by service providers were exactly the kind of abuse I had in mind when I started the 1,000,000 homepage project in the first place, and evercookies are a particularly good example of the kind of nastiness website users can be exposed to when external resources are included in an otherwise innocent looking webpage from a party that they trust.

It is very well possible that the companies mentioned here that include the evercookies only indirectly are simply not aware of the fact that they have opened up their visitors to this danger.

Besides the expected marketeers, porn sites, scammers and advertisers (who ever expected those to have something in common?) there are also some more surprising entries.

For example: car manufacturers KIA and Mazda have evercookies on their Russian corporate website, included indirectly from one of their service providers (A company called ‘exebid.ru’ for KIA and ‘facetz.net’ for Mazda). So even though the two car manufacturers do not engage in the practice themselves such big and well-known brands have absolutely no business to be seen near such technology, let alone using it even if indirectly on their websites. When you include javascript components or iframes on your website from third parties you are resonsible to your end-user for whatever those third parties end up serving to your customers.

Particularly disturbing is that I found hard evidence of indirect evercookies on the sites of many Polish newspapers including gazetawroclawska.pl, dzinniklodzki.pl (indirectly, through a site called ‘Gratka.pl’) and finally served up directly from the websites of German Newspapers allgemeine-zeitung.de and www.echo-online.de.

What reason newspapers have to attempt to track their visitors for ever is beyond me and especially in the case of the German newspapers this is quite possibly illegal. Contrary to EU law no warning or agreement was asked before these practically un-deletable cookies were placed on my computer, they - unlike the car brands and the Polish newspapers - don’t have any fig leaf to hide behind because the evercookies were served directly from their main domains.

One would expect newspapers to be at the forefront of the protection of the privacy of their users, not working as hard as possible to erode that privacy.

Finally, I think I’ve found evidence that moneyplatform.biz and all the associated domains are a filesharing honeypot. I can’t think of any other reason for having evercookies on a filesharing site unless the goal is to build up a case against uploaders/downloaders of pirated content.

The topmost offending domains that use evercookies (that I detected, there could very well be more for instance the script could be renamed) are here:

Domains using evercookies directly:

Domain: Evercookie Url: Kind: Comments:
paidviewpoint.com paidviewpoint.com... Marketeers You really have to love the 'about' page on this one, pretend they are really hot on privacy.
k2s.cc k2s.cc/ext/ev... filesharing I guess they want you to share just a little bit more about you
fboom.me static2.fboom.me... filesharing safe, secure and 4ever
keep2share.cc keep2share.cc... filesharing
profittask.com profittask.com... Russian scam mturk clone
echo-online.de www.echo-online.de... German newspaper
deccoria.pl deccoria.pl/j... Polish online pinboard
allgemeine-zeitung.de www.allgemeine-zeitung.de... German newspaper
nbamania.com nbamania.com/... Chinese sports site
moneyplatform.biz static1.moneyplatform.biz... Parent of keep2s.cc, k2s.cc, keep2share.cc and fileboom.me 404's, but on other sites still there. Filesharing sites with evercookies, seems like they're either a filesharing honeypot or an accident waiting to happen
uduba.com uduba.com/lib... Russian meme site
grabo.bg grabo.bg/ever... Bulgarian groupon clone
existenz.se existenz.se/e... Swedish link sharing page
pornme.pm www.pornme.pm... German porn site Porn sites uncareful with users privacy, what could possibly go wrong
ptrack1.com www.ptrack1.com... Survey fill-out farm
keep2s.cc keep2s.cc/ext... another keep2share url
person.com person.com/ec... adult chat site

Domains using evercookies indirectly:

Domain: Evercookie Url: Kind:
mazda.ru front.facetz.net… car manufacturer
urbangroup.ru front.exebid.ru… Russian real estate site
expressilustrowany.pl statystyki.gratka.pl… Polish Newspaper
gazetawroclawska.pl statystyki.gratka.pl… Polish Newspaper
dzienniklodzki.pl statystyki.gratka.pl… Polish Newspaper
kia.ru front.exebid.ru… car manufacturer
trial-sport.ru front.facetz.net… Russian sports site

The Polish media sites seem to be linked to ‘gratka.pl’ tags included on other websites, which in turn pull in the evercookie javascript, and this in turn may have something to do with the fact that the evercookie has been created by Polish hacker Samy Kamkar, who did the world a pretty good service by pointing out this dangerous possibility.

The code for the crawler and analysis is up at github.com/jacquesmattheij/remoteresources.