Cookies are small bits of information stored in a browser that (irritating advertising tracking aside) are generally pretty useful, as they allow for things like sustained logins to websites, saved preferences, and other browsing conveniences.
One particular type of cookie is rather dangerous, however, and is outright banned by any properly coded web browser: the super cookie. Wherein a normal cookie is assigned to a specific domain, such as a cookie that retains your display preferences on www.somemadeupwallpapersite.com, a super cookie is a cookie that has been assigned to a top-level domain such as .gov or .com. If a web browser respected a cookie with such a broad reach, it would have serious security implications as any domain that fell inside the .com top-level domain (e.g. amazon.com, yahoo.com, and bankofamerica.com, for example) would all fall within the reach of whatever code a malicious user had hidden away inside the super cookie.
Browsers reference the Public Suffix List, a publicly maintained list of top level and secondary level public domains to determine which domain-based super cookies to ignore. While this works perfectly well for modern browsers, older browsers may have inadequate lists, which would leave them vulnerable to this exploit.
- By Jason Fitzpatrick on 08/1/13