From...

February 12, 1999
Web posted at: 4:26 p.m. EST (2126 GMT)

by Tom Diederich

(IDG) -- Netscape Communications Corp. and Microsoft Corp. are working with an independent Web site operator to investigate what he said may be either a cookie-related privacy hole in their browsers or a rare phenomenon involving corrupted cookie.txt files.

Cookies are small files, ranging up to 4K bytes, that are placed on the hard drives of PCs by some Web sites, especially "customized" sites -- those that say "Welcome, John Doe!" when you log on, for example, and allow site operators to track visitors. Some of the information in the cookies comes from users, who fill out forms that usually ask questions such as their name or E-mail address. Information such as the user's Internet service provider and other connection-related data can be sent to the cookie automatically, however.

Cookies aren't generally shared among Web sites -- servers receive only the information they've requested. However, Russ Smith, who runs Consumer.net in Alexandria, Va., said a check of his server logs last week indicated that he was getting more information than he asked for from one or two visitors a day out of 5,000. And two or three times a month, the amount of extra information would be "excessive," he added.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
Computerworld's home page
Computerworld Year 2000 resource center
Computerworld's online subscription center
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Questions about computers? Let IDG.net's editors help you
Search IDG.net in 12 languages
Subscribe to IDG.net's free daily newsletter for IT leaders
News Radio
	Computerworld Minute
	Fusion audio primers

"I have no idea how it happened, but I was apparently getting several -- and maybe even all -- of the cookies that were placed on the user's system by other Web sites in these few cases," Smith said. Some of the information included home addresses, E-mail addresses and footprints from recently visited Web sites, he added.

Smith alerted Netscape and Microsoft and posted some of the extraneous visitor information, with the sensitive portions blocked out, that he said showed up in his logs.

"Since the information just appeared there, I told Microsoft and Netscape to go through their own cookie files to look for things that shouldn't be there," Smith said.

Microsoft and Netscape both said they are working with Smith to pinpoint the cause of the glitch. Microsoft's attempts so far have been unsuccessful, but Netscape was able to duplicate the phenomenon by creating a corrupted cookie.txt file and sending it to one of the company's servers.

"We are still working to determine exactly what the problem is, but we do have preliminary indications that the problem is not on the server or the browser," said Netscape spokesman Jim Adamson. "It looks like it's a corrupted cookie file from the user's computer. What causes that file to be corrupted, we may never know."

Both companies said security issues were taken seriously and that teams had been assigned to investigate the matter. "At this point, we don't have any reason to believe that this is a widespread problem. It's extremely rare," Adamson said.

He said users who were concerned about the problem could go into their browser's preferences file and either disable cookies or delete their existing cookies.txt file.

The Consumer.net group of Web sites focuses on consumer issues but also covers travel, holiday and Internet-related information. Smith said his first site was set up to provide consumer information relating to the Telemarketing Consumer Protection Act. Privacy-protection software is also sold on the site.