When browsing social media, shopping, or doing almost anything else online, you might have seen a request for the websites permission to collect and use your cookies. Like many people, you probably clicked on the "approve" button and continued to do what you wanted to do. But did you ever think about what cookies are, and what companies and websites are actually collecting from your device?
What are Cookies?
In short, cookies are tiny pieces of data stored on a device by a web browser. They are usually text files, and they are most commonly used to identify your device on a network, like an identification card (social security number for all you Americans).
Imagine you are at a party, a party where everyone is drinking Super-Juice Pro, the hottest new orange-flavored drink. Unfortunately, you placed your bottle on a table with many other bottles, and you can't tell which bottle is yours, as all of the bottles have random amounts of Super-Juice Pro and you forgot how much you had drunk.
As soon as almost all hope is lost, you remember that the bottles of Super-Juice Pro have a special feature that makes it Pro; the bottle copies the fingerprints of a person who touched it onto its surface. For example, if John touched the bottle, John's fingerprints would be marked on the bottle's surface forever. If Alyne touched the bottle after John, Alyne's fingerprints would also be marked on the bottle with John's.
Cookies work in a similar way. When you (or anyone else) browses the web on your computer, small pieces of information are stored. These pieces range from saved usernames and passwords to your likes and dislikes.
Another great analogy for visualizing what cookies are and what they can do is imagining yourself visiting your favorite restaurant, one you visit often. When you enter, the waiters will probably already know that you favorite drink is Super-Juice Pro, you are a fan of the lemon cheesecake, and you like to sit on that table in the corner, the one where the breeze hits you at just the right angle. They do not know these facts about you by reading your mind, rather, they know because you have done these things before, multiple times.
These are how cookies work. Over time, as you repeat actions and visit websites, the data from stored cookies can be used to create a virtual profile of you. Your likes, your dislikes, your family members, your pets, what you need, what you want can all be inferred from the cookies.
How are Cookies Sent and Stored?
Cookies are created whenever you visit a website. When you visit a website for the first time, the server the website is hosted on sends back the webpage you requested and a small text file, known as a cookie. The next time you visit the website, your browser will send a request for the website along with the cookie. These cookies identify who you are, and provide whatever data that the website may want or need to function properly.
These cookies are all stored locally on your device, and are only sent to the web server when a website requests it. These cookies are stored as dictionaries, or key:value pairs. That way, whenever a website requests a specific piece of data, the data can be identified and sent as quickly as possible.
All cookies are stored locally, which means that your data is only stored on your computer. However, this data can be sent to any website whenever they request it, which is what all the privacy scandals are about- sending enough user data to a website to learn enough to breach someone's privacy.
How cookies work, via Infosec
What are Cookies Used for?
Cookies have many uses, most of which you should be aware of. The three main uses of cookies are below (via Kaspersky)
Session management cookies are cookies stored only for your web browsing session (from when you open your browser to when you close it). These cookies allow websites to have auto-login features and save user preferences, for example, whether or not you turned on dark mode the last time you visited Reddit.
Personalisation cookies are cookies that store user data, more specifically, user data on what you have searched up on the web. These cookies are most commonly used to provide personalized advertisements.
How do Advertising Cookies Work?
Advertising cookies are cookies used for advertising, more specifically, personalizing advertisements for you. These cookies are the reason you get advertisements for dog beds on Amazon after searching for dog toys on eBay. These cookies are also the cookies that most websites request, as they are made up of the data that will make the corporations involved millions.
Advertising cookies are the most popular usage of cookies. Whenever you visit a website, all of your browsing habits, websites you spent time on, all of your data is sent to the website servers. This data is then used to create a model of you, a model which captures your likes, dislikes, and things you will be interested in. After that, the advertising agency that the developers have chosen to place on their website, for example, Google AdMob, matches your likes and dislikes to an advertisement that they think will appeal to you the most, one which you are the most likely to click on.
In short, advertising cookies are used to create a model of you and place the advertisement that you are most likely to click on the website.
Problems with Cookies
Cookies are essential to the internet today, but they still have problems. Below are some of the most common problems.
Since cookies are stored locally, if an attacker gets access to the raw text cookies on your device, they can get an authorization for certain websites allowing them to log in as you. This is the same concept by which "keep me signed in" buttons work, allowing a user to send a cookie with an authorization instead of logging in again.
When a website receives a request/action in the form of cookies, the server cannot distinguish whether the user requested this action in the current session or whether the cookies saved on the user's computer has requested it. Due to this, an attacker can simply change the content of the cookies so that the user's computer will be sending requests to the website that the user did not request for.
The model of you that can be made using your cookies is extremely advanced and specific. This data is worth a lot, and can be sold to advertising agencies to create targeted advertisements.
Top comments (2)
Well said, very easy to understand and good information, thanks!
Thank you so much!