• Blog
  • Privacy
  • Unlocking the Secrets of Chrome Browser Cookies: What You Need to Know

Unlocking the Secrets of Chrome Browser Cookies: What You Need to Know

Onn Nir

Onn Nir

Content Manager

  • April 15, 2024
  • 9 min read
  • April 15, 2024
  • 9 min read
chrome-cookies
Share article
twitter linkedin medium facebook

One concerned Reflectiz user recently shared the screenshot you see below with us. They wanted to make sure we were aware that Google Chrome will soon be blocking third-party cookies to protect user data from cross-site tracking.

Chrome announced this change back in 2020, so we have been aware for quite some time that this was going to happen. In fact, Chrome was the last of the major web browsers to announce that it would be banning third-party cookies, but it’s big news now because Chrome is the most popular browser in the world by a long way with 3.45 billion users and a 65% market share. This puts it ahead of Safari with 18.55% and Edge with 5.05%.

Chrome has already switched off cookies for 1% of its users and will gradually do the same for all of them by the end of 2024. At Reflectiz we were aware of this change, but this made us wonder how many other users might have questions on this issue. How many are wondering whether Chrome will still pose a privacy risk after changes have been rolled out to everyone? How many would like to know how the ban on third-party cookies will affect their businesses?  

In this article we answer those questions, exploring the security implications of tracking cookies in Google Chrome and looking at how website owners will be gathering the visitor browsing data they need for marketing purposes going forward.

What are third-party browser cookies?

Third-party browser cookies are small text files that are placed on a user’s web browser by websites or services other than the one they are currently visiting. In contrast, first-party cookies are set by the website the user is currently on. First-party cookies are used to remember things like login status, shopping cart contents, and user preferences on that specific site. Third-party cookies are from elsewhere, and they are often set by advertising networks such as Amazon Ads, analytics providers like Google, social media platforms like Meta and TikTok, and other third-party services embedded on webpages.

Third-party cookies enable cross-site tracking, which means that a user’s activities on various websites can be shared with these marketers and advertisers, allowing them to build a detailed picture of their interests. They can then use this data for targeted advertising, ad retargeting, content personalization, and other marketing purposes.

Cookies in Chrome Privacy Risk: Understanding the Threat

Web users have been concerned about their privacy for a long time, and legislators have listened. GDPR came into force in 2018, and other regions continue to add their own legislation, requiring explicit permissions from users for them to collect, track, and share their personal data, while also mandating strong protections against hackers. In response, web browsers now give users the option to block or limit the use of third-party cookies in order to protect their online privacy and reduce unwanted tracking. But what are the risks with Chrome when they do give permission? Here are the main ones:

Cross-Site Scripting (XSS) vulnerabilities which could allow attackers to inject malicious scripts into websites, potentially enabling them to steal cookies and hijack user sessions.

Same-Origin Policy Bypass which could allow attackers to bypass the Same Origin Policy security mechanism and access cookies from different domains. This could potentially allow them to hijack sessions or steal data.

Cross-Site Request Forgery (CSRF) vulnerabilities which could allow attackers to trick users into performing unintended actions, potentially leading to cookie theft or unauthorized access.

Insecure Cookie Handling, which means things like not properly implementing the HttpOnly flag or allowing cookies to be accessed by client-side scripts, which increases the risk of cookie theft through XSS or other attacks.

Cookie Injection vulnerabilities in Chrome’s handling of cookies could allow attackers to inject or modify cookies, potentially leading to session hijacking or other security risks.

The Change and Why it’s Happening

Although Edge, Firefox, Safari, and others can now block third-party cookies, Chrome is doing something different. This isn’t surprising because Google’s owner Alphabet makes a lot of money from advertising, and blocking third-party cookies would have cut off this valuable income stream. Instead, it’s replacing them with something called Tracking Protection which is part of its Privacy Sandbox initiative. It switched on Tracking Protection for 1% of users in January 2024 and will do the same for all users during the second half of the year.

In the US this is a feature that users can opt out of, whereas in Europe (and a few other territories) they need to explicitly opt-in. The goal of the Privacy Sandbox project is to prepare for a cookie-less future. The Tracking Protection feature aims to protect user privacy by limiting cross-site tracking, while still giving marketers access to the user data they need to deliver personalized targeted advertising. However, the way that it does this is somewhat controversial.

As James Roswell, a digital marketer and co-founder of the marketer advocacy group Movement for an Open Web told The Register back in 2023, “Privacy Sandbox removes the ability of website owners, agencies, and marketers to target and measure their campaigns using their own combination of technologies in favor of a Google-provided solution. No one would accept all food retailers closing the home baking aisle and forcing everyone to buy their own-brand bread. Why would anyone accept Google and Apple’s identical behavior in digital markets?”

While not all users will be particularly sympathetic to the concerns of advertisers and marketers, they may have some misgivings about Google ring-fencing even more of their personal data.

Is Tracking Still a Threat in Chrome?

Despite efforts to enhance privacy protections, tracking remains a significant threat in Chrome. While the Tracking Protection feature will block third-party cookies and restrict cross-site tracking, first-party cookies, which are set by the website being visited, are still permitted. This means that websites can still track users’ activities within their own domains, albeit with certain limitations. As we have noted, Google will still be collecting information about its users to feed to the advertisers that underpin its entire business model, and with less transparency than before.

 Limited User Control

While Chrome provides some options for users to change cookie and tracking settings, they are often buried deep within the browser’s settings, so the average user might find them difficult to access.

Opaque Data Collection Practices

Many users are unaware of the extent to which their online activities are being tracked and how this data is being used. This lack of transparency makes it difficult for users to make informed decisions about their privacy.

 First-Party Cookie Risks

First-party cookies can also pose security risks, as they can be exploited by malicious actors to steal sensitive information or launch targeted attacks. While Chrome has security measures in place to mitigate these risks, they are not foolproof, so it is currently testing a new feature in Google Chrome Beta called DBSC (Device-Bound Session Credentials) Protection. This will bind authentication sessions to the device the browser is being used on using cryptography, which means that even if attackers manage to steal cookies, they will be useless.

First-Party Tracking

While Chrome has taken steps to limit third-party tracking through measures like Tracking Protection, it’s still possible for companies to track users’ activities within their own domains using first-party cookies. Adobe has suggested that this will form the backbone of marketers’ efforts in the future. In this article the graphics industry giant suggests that businesses will still be able to perform cross-site tracking and ad retargeting by gathering first-party data from direct interactions with customers on their apps and websites, and then combining it with forms of identification such as device IDs and email addresses.

Google itself will be offering tracking tools via its Privacy Sandbox, but this won’t be providing the kind of granular, individualized user data that third-party cookies delivered before.

It’s also worth mentioning that if Chrome thinks a website isn’t working properly without third-party cookies (perhaps they have refreshed the page several times and it still does not work) Google says that it will prompt users to re-enable them for that website, so that is likely to continue during the interim period. At the same time, it’s encouraging developers to review their cookie usage to ensure that their websites still work.

Google has already delayed its ban on third-party cookies, and it could still do so again, so there is scope for this interim period to carry on a while longer. Time will tell.

How Reflectiz Can Help

Reflectiz offers a comprehensive solution to help mitigate the risks associated with cookies in Google Chrome. By providing real-time monitoring and analysis of website third-party components, Reflectiz enables users to gain insights into how their data is being collected and used across various websites. With its advanced monitoring technology, Reflectiz can detect and identify potential security vulnerabilities and privacy threats posed by cookies, including unauthorized tracking and data leakage. Additionally, Reflectiz empowers users with actionable recommendations and controls to manage their online privacy effectively. By leveraging Reflectiz’s capabilities, Chrome users can enhance their privacy posture and protect themselves against the potential risks posed by cookies on the web.

Conclusion

Cookies continue to pose a privacy risk in Google Chrome and other web browsers, despite efforts to enhance user privacy through initiatives like Enhanced Tracking Protection and Privacy Sandbox. While these measures represent steps in the right direction, they are not sufficient to address the full scope of privacy concerns associated with cookies and tracking. As users become increasingly aware of the importance of online privacy, it’s crucial for browser developers like Google to prioritize user privacy and provide more robust tools and controls for managing cookies and tracking. Only by empowering users to take control of their online privacy can we truly mitigate the risks posed by cookies in Chrome and other web browsers.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Related Articles

How to Prevent the Most Common Web Security Misconfigurations
  • April 9, 2024
  • 8 min read

How to Prevent the Most Common Web Security Misconfigurations

Data Privacy – More Cyber Insurers are Worried Than Ever Before
  • March 26, 2024
  • 4 min read

Data Privacy – More Cyber Insurers are Worried Than Ever Before

How to Prevent Data Exfiltration Incidents
  • February 28, 2024
  • 10 min read

How to Prevent Data Exfiltration Incidents

CPRA vs CCPA: Important Essentials Your Business Needs To Know
  • February 5, 2024
  • 13 min read

CPRA vs CCPA: Important Essentials Your Business Needs To Know

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free
linkedin twitter

All rights reserved 2024 © Reflectiz

Book a Demo

Book a Demo