Anti-Tracking Issues in Browsers



Browsers Have Anti-Tracking and Cookies Enforcement Issues

Third-party cookie policies of 7 major web browsers, 14 anti-tracking extensions, and 31 ad-blockers had been analyzed by a team of Belgian researchers from KU Leuven. They discovered the minor and major issues with all of them.

Major Issues

Some of the major issues discovered include the unwillingness to honors its own block only third-party cookies settings by Microsoft Edge, use of the integrated PDF viewer for Chrome as well as other Chromium-browsers to use invisible tracking, and bypasses of the Tracking Protection feature of Firefox.

The cookie requires may be sorted into two groups. They include the third-party requests which come from all other websites and first-party requests which come from the address that is listed in the address bar. Cookies are used by the advertisements displayed on websites and some of the cookies are even used for tracking purposes. Browsers can be configured by internet users to block any third-party cookie requests so as to limit cookie-based tracking. For instance, some browsers such as Firefox or Opera, include anti-tracking and ad-blockers functionality which is used in addition to that.

Flaws in Anti-Tracking Mechanisms

Who Left Open the Cookie Jar? It is a research paper on the comprehensive evaluation of third-party cookie policies. The paper contains detailed information about each of the web browsers. It tests the browsers to find out if it is vulnerable to any exploits, and if there are any bug reports, that are linked to the website of the research project. A test framework was created by the researchers to verify whether all of the imposed cookie and request policies have been correctly applied. It was discovered that most of the mechanisms could be circumvented. All of the anti-tracking and ad-blocking browser extensions had at least about one bypass flaw.

In the paper, it was revealed that in the current state, the built-in anti-tracking protection mechanisms and just about every major browser extension which relies on third-party blocking requests to either disable intrusive advertisements or prevent user tracking, can be bypassed using at least one technique.

Tracking protection functionality was evaluated by the researchers and a new cookie feature was introduced recently, known as same-site cookies for defending against any cross-site attacks. The only browser which blocks third-party cookies through default is the Tor Browser. The cookies were not blocked by all the browsers for certain redirects, despite the fact that whether tracking protection had been enabled or third-party cookies had been blocked.

A major issue with regards to cookies is faced by Opera, Chrome or any other Chromium-based browsers which uses built-in PDF viewer. Furthermore, it has been observed that there was a design flaw with Chromium-based browsers that enabled a bypass for tracking protection and built-in third-party cookie blocking that are provided by the extensions.


Browser extensions used for anti-tracking or ad-blocking also had weaknesses as researched. The researchers even found ways through which the protection could be circumvented and had reported various bugs to developers. Raymond Hill is one of the few that fixed the issues quickly for - uMatrix - and - uBlock Origin. One thing is clear, as more technologies are added to browsers, the complexity increases as well. The research is an important one and it helps bring things to notice.

Comments and feedback