IP: The Cookie Leak Security Hole in HTML Email messages

[Dave Farber <farber@cis.upenn.edu>]

>From: "Bill Burgos" <onomrbil@gol.com>
>Organization: White Bear
>To: Dave Farber <farber@cis.upenn.edu>
>Date: Sat, 4 Dec 1999 23:16:20 +0900
>
>
>
>Richard M. Smith (smiths@tiac.net)
>November 30, 1999
>
>Since the invention of Web browser cookies by Netscape, the claim has always
>been made that they are
>anonymous and cannot be associated with any personal information unless
>someone provides this
>information.
>
>In this write-up, I will present a technique in which browser cookies can be
>matched to Email addresses
>without people's knowledge. The technique relies on a security hole that is
>present in both Microsoft's
>Internet Explorer browser and Netscape's Navigator browser. This technique
>can be used, for example, to
>allow a banner ad company to associate an Email address with a "anonymous"
>profile that has been created
>for a person as they surf the Web. Once a banner ad company has an Email
>address tied to a profile, they
>can provide a service to advertisers of customized ads in "junk" Email
>message. These ads can be based on
>profiles previously created from Web site visits. In addition, banner ad
>companies can offer the service of
>sending out "junk" Email messages to people who visit a particular Web site.
>This last service makes Web
>surfing much less private.
>
>
><snip>
>
>
>http://www.tiac.net/users/smiths/privacy/cookleak.htm
>
>Bill
>onomrbil@gol.com
>mailto:onomrbil@gol.com