Netscape Communications Corp. and Microsoft Corp. are working with an independent Web site operator to investigate what he said may be either a cookie-related privacy hole in their browsers or a rare phenomenon involving corrupted cookie.txt files.
Cookies aren’t generally shared among Web sites — servers receive only the information they’ve requested. However, Russ Smith, who runs Consumer.net in Alexandria, Virginia, said a check of his server logs indicated that he was getting more information than he asked for from one or two visitors a day out of 5,000. And two or three times a month, the amount of extra information would be “excessive,” he added.
“I have no idea how it happened, but I was apparently getting several — and maybe even all — of the cookies that were placed on the user’s system by other Web sites in these few cases,” Smith said. Some of the information included home addresses, e-mail addresses and footprints from recently visited Web sites, he added.
Smith alerted Netscape and Microsoft and posted some of the extraneous visitor information, with the sensitive portions blocked out, that he said showed up in his logs.
“Since the information just appeared there, I told Microsoft and Netscape to go through their own cookie files to look for things that shouldn’t be there,” Smith said.
Microsoft and Netscape both said they are working with Smith to pinpoint the cause of the glitch. Microsoft’s attempts so far have been unsuccessful, but Netscape was able to duplicate the phenomenon by creating a corrupted cookie.txt file and sending it to one of the company’s servers.
“We are still working to determine exactly what the problem is, but we do have preliminary indications that the problem is not on the server or the browser,” said Netscape spokesman Jim Adamson. “It looks like it’s a corrupted cookie file from the user’s computer. What causes that file to be corrupted, we may never know.”
Both companies said security issues were taken seriously and that teams had been assigned to investigate the matter. “At this point, we don’t have any reason to believe that this is a widespread problem. It’s extremely rare,” Adamson said.
He said users who were concerned about the problem could go into their browser’s preferences file and either disable cookies or delete their existing cookie.txt files.
The Consumer.net group of Web sites focuses on consumer issues but also covers travel, holiday and Internet-related information. Smith said his first site was set up to provide consumer information relating to the Telemarketing Consumer Protection Act. Privacy-protection software is also sold on the site.
