DEV Community

Cover image for I Analyzed My Browser Cookies - 1,572 Trackers Found. Here's What They Know About Me.
Kurt Warner
Kurt Warner

Posted on

I Analyzed My Browser Cookies - 1,572 Trackers Found. Here's What They Know About Me.

#privacy #python #opensource #security

TL;DR: I built a cookie forensics tool and ran it on my own Firefox browser. The results were shocking: 1,572 tracking cookies from 422 different domains, including 67 high-severity privacy risks. Google alone has 174 cookies tracking me across 72 websites.

The Wake-Up Call

We all know websites use cookies. But I didn't realize how many until I actually looked.

Last night, I exported my Firefox cookies (just the cookies.txt file - no passwords, nothing sensitive) and ran them through a forensics tool I'd been building.

The numbers hit me hard:

  • 1,572 cookies total
  • 422 unique domains tracking me
  • 1,337 privacy/security risks identified
  • Overall risk level: HIGH

This isn't from some malware-infected machine. This is a regular browser from a developer who thinks he's privacy-conscious.

Breaking Down the Surveillance

The Big Players

Google Analytics: 174 cookies across 72 domains

Google Analytics isn't just on Google sites. It's on random blogs, e-commerce stores, tutorial sites - everywhere I've visited in the past month. Each one reporting back to Google.

Facebook: 67 cookies

I rarely use Facebook. But Meta's tracking pixels are embedded in tons of sites. Instagram, WhatsApp, and third-party sites all feeding data back.

"Unknown" trackers: 1,305 cookies

The scariest category. These are ad networks, data brokers, and tracking services I've never heard of. They don't even have recognizable names.

The Long Tail

Here's where it gets wild. The tool found cookies from:

  • 422 different domains
  • Tracking companies I've never interacted with directly
  • Third-party scripts embedded in sites I trust

Examples: TikTok (I don't have TikTok), Adobe (tracking across multiple properties), Microsoft, Amazon, random e-commerce sites, adult content trackers (yes, those too).

The Security Risks

The tool identified 1,337 privacy/security issues, broken down by severity:

Medium Severity (1,928 instances):

  • Insecure transmission: Cookies sent over HTTP instead of HTTPS
  • Third-party tracking: Cookies from domains I never visited
  • Persistent tracking: Long-lived cookies that track across sessions

High Severity (67 instances):

  • Missing security flags (HttpOnly, Secure)
  • Cross-site tracking without consent
  • Potential session hijacking vulnerabilities

Critical Severity (0):

Good news: No critical vulnerabilities like exposed authentication tokens. But "high" is still concerning.

What This Actually Means

Every time I browse:

  1. These 422 domains get pinged
  2. They know what page I'm on
  3. They correlate it with my other activity
  4. They build a profile: interests, behavior, schedule

The tracking is coordinated:

  • Google knows which sites I visit
  • Facebook knows even when I'm not on Facebook
  • Ad networks share data with each other
  • My "anonymous" ID is correlated across platforms

Real-world implications:

  • Targeted ads (obvious)
  • Price discrimination (less obvious)
  • Data broker profiles sold to anyone
  • Potential for insurance/credit scoring
  • Political microtargeting

How I Built the Analysis Tool

Since discovering this, I built a proper forensics suite. It's open source on GitHub.

The tool does 4 things:

1. Parse

Reads cookies.txt files (Netscape format - the standard export format from any browser)

# Netscape format: domain, flag, path, secure, expiration, name, value
parts = line.split("\t")
domain = parts[0]
name = parts[5]
value = parts[6]
Enter fullscreen mode Exit fullscreen mode

2. Enrich

Matches cookies against a known database of tracking companies:

  • Google Analytics patterns (_ga, _gid, __utma)
  • Facebook trackers (fr, datr, xs)
  • Ad networks (__gads, _fbp)
  • Analytics services

3. Scan for Risks

Identifies security and privacy issues:

  • Insecure transmission (HTTP vs HTTPS)
  • Missing security flags
  • Third-party tracking
  • Long expiration dates

4. Generate Reports

Creates 5 detailed JSON reports:

  • Parsed cookies with metadata
  • Enriched data (company identification)
  • Risk assessment
  • Domain-level summary (which sites track most)
  • Company-level summary (who's tracking you)

The Most Shocking Findings

1. Google Knows Everything

174 cookies across 72 domains means Google sees:

  • Every blog I read
  • Every product I research
  • Every tutorial I follow
  • Every site I visit that uses Google Analytics (most of the web)

They're not just a search engine. They're a surveillance network.

2. You Can't Escape Facebook

I logged out of Facebook years ago. Still have 67 cookies from Meta properties. The "Like" button on every website? That's tracking you even if you don't click it.

3. The "Unknown" Trackers Are Worse

1,305 cookies from companies I've never heard of. These are data brokers buying and selling profiles. No relationship, no consent (well, buried in ToS), just harvesting.

4. Adult Sites Track Aggressively

Won't name names, but several adult content sites had some of the most invasive tracking. Makes sense - they profit from user data like everyone else. But it's particularly sensitive data.

What You Can Do About It

Immediate Actions:

1. Clear your cookies (nuclear option)

  • Firefox: Settings → Privacy & Security → Clear Data
  • Chrome: Settings → Privacy → Clear browsing data
  • Downside: You'll be logged out of everything

2. Use containers (Firefox only)

  • Facebook Container extension
  • Multi-Account Containers
  • Keeps tracking siloed

3. Browser extensions:

  • uBlock Origin (blocks trackers)
  • Privacy Badger (learns tracker patterns)
  • ClearURLs (removes tracking parameters)

4. Use privacy-focused browsers:

  • Brave (built-in ad blocking)
  • Firefox with hardened settings
  • Tor Browser (extreme privacy)

Long-term Strategy:

1. Assume you're being tracked

  • Everything you do online leaves a trail
  • "Incognito mode" only hides from your local device
  • VPNs help but aren't magic

2. Compartmentalize your identity

  • Different email for different purposes
  • Separate browsers for work/personal
  • Don't log into Google/Facebook on your main browser

3. Read privacy policies (I know, I know)

  • At least skim for data sharing clauses
  • Look for "we share with third parties"
  • Assume worst-case interpretation

4. Support privacy regulations

  • GDPR (Europe)
  • CCPA (California)
  • Vote for politicians who care about digital privacy

Try It Yourself

I've open-sourced the tool: GitHub - ml-systems-portfolio

To analyze your own cookies:

# Export cookies from Firefox
# Settings → Privacy & Security → Cookies → Manage Data → Export

# Run the tool
cd tools/cookie_analysis
python cli.py --input cookies.txt --output-dir results/
Enter fullscreen mode Exit fullscreen mode

You'll get 5 JSON reports:

  • Full cookie list with metadata
  • Company identification
  • Risk assessment
  • Domain summary
  • Company summary

Warning: This will show you things you might not want to know. Once you see the numbers, you can't unsee them.

The Bigger Picture

This isn't just about cookies. It's about:

  • Asymmetric information: They know everything about us, we know nothing about them
  • Lack of consent: Buried in 50-page Terms of Service
  • No transparency: Can't see what data they have
  • No control: Can't delete, correct, or opt out effectively

The web wasn't supposed to be like this. The original vision was open, decentralized, user-controlled. Now it's:

  • Centralized (Google, Facebook, Amazon)
  • Surveillance-based (track everything)
  • Monetized through your data

What I'm Building Next

This cookie analysis tool is part of a larger Security Professional Suite I'm building:

Current tools:

  1. Cookie Analysis - What you just read about
  2. PathPulse - Real-time file system threat detection
  3. Windows Feature Manager - System configuration control

Coming soon:

  1. OSINT Suite - Digital footprint analysis
  2. Threat Intel Tool - IOC aggregation
  3. Bug Bounty Framework - Recon automation

All open source. All focused on giving individuals the tools that only big companies have.

The Response I'm Expecting

"You're paranoid"
Maybe. But the data is real. 1,572 cookies. 422 domains. That's not paranoia, that's math.

"If you're not paying, you're the product"
True. But we've normalized surveillance to an insane degree. Remember when websites had ads but didn't track your every move?

"I have nothing to hide"
Neither do I. But I have plenty I don't want to share. Privacy isn't about hiding, it's about control.

"This is just how the web works now"
Only because we let it. We can build better. We can demand better.

Final Thoughts

Running this analysis changed how I think about browsing. Every site I visit now, I wonder:

  • How many trackers just fired?
  • What data was just sent?
  • Who's buying that data?
  • What profile are they building?

You should run this too. Not because I built it (though I'd appreciate the GitHub star ⭐), but because you deserve to know what's happening on your own machine.

The surveillance economy depends on ignorance. Once you see the numbers, you can't ignore them.

Want to try the tool?

Questions? Thoughts? Found even worse tracking?
Drop a comment. I'm building these tools in public and documenting the journey.

Next post: Building an OSINT tool to see what information about you is publicly available. Subscribe to follow along.

Built with Python 3.11, FastAPI, and a healthy dose of concern about digital privacy.

privacy #security #python #opensource #tracking #cookies #dataprivacy #infosec

Top comments (0)