We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

The myth of the dangerous cookie

Published May 21st, 2014 at 11:08 AM EDT , modified May 21st, 2014 at 11:08 AM EDT

Cookies have achieved a near-mythological status as harmful these days. Most people don’t have a clear picture of what they are, but nonetheless, many believe that cookies should be deleted regularly, or even blocked entirely. Often, this is based on advice from forums or even computer techs. The rumors of the hazardous cookie have gotten so prevalent that it’s worth asking the question: are cookies really as dangerous as everyone says?

First, for those who may not know exactly what a cookie is, they’re really quite simple. A cookie is simply a bit of data that a website has asked your browser to hold onto for a while. When you go back to that site later, that site can retrieve its data. The data stored can consist of anything, really, but it cannot hold anything that the site doesn’t already “know.”

Cookies typically expire after a certain amount of time, meaning that they will be removed after that point. The expiration date is set by the site, and can vary widely. Some sites may even set cookies that never expire, although this is fairly uncommon. Cookies are also retrievable only by the site that set them. Your web browser will not give data from a cookie belonging to one site to any other site.

One thing that cookies are often blamed for is containing and transmitting viruses. There’s absolutely no truth to this myth at all. Cookies are data, pure and simple, and even if that data happened to hold some malicious executable code, your browser would not run that code. Cookies cannot take any actions on their own, and if you happen to visit a malicious site, the threats that site may pose are not in any way related to cookies. On this point, you can set your mind completely at rest.

Cookies are also sometimes blamed for causing all manner of stability and performance problems. If someone is having a problem with their browser crashing or loading sites slowly, you can bet that someone will advise deleting cookies. (I’ve even seen such advice given for general system problems that aren’t specific to the web browser.) This advice is garbage, though, typically given by someone who is just repeating something they heard someone else say, not because it actually works. Cookies do not cause such problems in the browser, much less with the system in general!

adwareAnother “evil” attributed to cookies is violating privacy. So-called “tracking cookies” are designed to track users’ movements between sites. Such things really do exist, but stories of their capabilities have attained mythical status. In reality, tracking cookies are often used by advertisers to track the sites visited by a particular user. However, there are some serious limitations on such tracking cookies. First, because a cookie can only be retrieved by the site that set it, these cookies can only be used on sites that load and display dynamic content provided by the cookie’s creator. In other words, if an advertiser called WeLikeSpam sets a tracking cookie, that cookie is only functional on sites that include advertising from WeLikeSpam (called affiliate sites).

In addition, cookies can only contain data the site already knows. When it comes to an advertiser, like WeLikeSpam, this really includes very little. Unless you enter some personal information into a form within a WeLikeSpam advertisement, that information is limited to things like the IP address of your computer, which affiliate site you were visiting, the date you visited and what browser you’re using. So, nothing that’s actually personal. This is all information your browser provides to every single site you visit.

What concerns people about tracking cookies is that they allow an advertiser to link a pattern of behavior (ie, what affiliate sites were visited when) with a particular web browser. Privacy advocates don’t like this, and they say that this information could, in theory, be used to link the behavior with your real identity. In reality, this would be much more difficult to do than those privacy advocates let on, assuming it’s possible at all, and the advertisers really don’t seem to care about that anyway. What the advertisers want to know is that a particular browser has spent a lot of time at specific sites. This allows automated software to create a profile that can identify the kinds of ads the user is more likely to click on, tailoring the advertising to the user. They really could care less about who you are.

In theory, a malicious site that manages to get code injected into a number of other sites could try to do more malicious tracking. However, due to the limitations imposed on cookies by web browsers, this is difficult and the information available is sparse. If the user can be tricked into providing information, there’s really no need to involve cookies or track the user across sites. There are far easier ways to scam people, so the effort required means this is an extremely unlikely avenue of attack.

I hear the question many of you will be asking, though… even if the risk is small, why not block or delete all cookies anyway? One very good reason that you shouldn’t is that it will interfere with the normal operation of many sites. Sites with login systems usually use cookies to maintain the session. You may not be able to log in at all if you block cookies on such a site. Similarly, shopping carts often involve cookies, so your online shopping may come to an abrupt halt on some sites if you block their cookies. There are many other examples of cookies being used for legitimate – and important – functionality on legit sites.

Now, it is true that you could block or delete only certain cookies, perhaps with the assistance of some third-party software. However, let’s be honest here: the risks are so small that it’s really not worth the effort. You are free to take that effort if you like, but I personally never bother. Does this mean that I condone tracking by advertisers? Not really, but neither do I see this as a serious privacy issue. You should be more concerned about the grocery store customer card you probably have in your wallet, since such systems are tracking much more personal data and associating it directly with your actual identity.

If you choose to block cookies, you can use a tool like Ghostery to help you do so. I do not consider that necessary, but everyone has their own tolerances for such things.



  • Dave says:

    Thanks! That is some useful information!

  • Zak says:

    I didn’t think people still told friends and clients to delete cookies incessantly any more. Good to know bad advice lives on, job security for me.

    And the tracking cookie for Google makes them think I am 65, female, and thinks I like some pretty odd stuff. Calling tracking accurate is false so don’t worry about those either unless you visit porn sites and don’t want the ads showing on other sites where a (potential) spouse can see. This only applies to ad sites that host ads for everything from infant toys to hardcore porn.

  • ben says:

    The following link shows how retained cookies can be accessed to gain information from an Australian government website. The link is general information about a known vulnerability and not a detailed ‘how to’ that could used by those with ill intent. My point is, the cookies are a vulnerability that in this instance are exploited to log into someone’s account.

    • Thomas says:

      Cookies were not the vulnerability in that case. The problem is that that site was (is?) vulnerable to cross-site scripting attacks, allowing an attacker to run their own JavaScript code within the MyGov site. This allows the hackers to do things like access that site’s cookies, because the script is considered to belong to that site.

      Further, clearing your cookies would be no help against this exploit. It only works if you’re currently logged into the site. The cookie holds a session ID for your login, but logging out would close that session. Clearing the cookie would be superfluous, and you can’t clear the cookie but stay logged in.

      • ben says:

        Thanks for the clarification. Still, it is a bit of a worry that vulnerability exists for Australian users, but that is another topic.

  • ben says:

    P.S. I’m not Ben Grubb the author of the media story. I’m another Ben, who is just drawing your attention to article.

This post is more than 90 days old and has been locked. No further comments are allowed.