88

I don't remember when this "accept/cancel cookie" button started to be used in websites. Why do they insist on getting users to click on this button?

Can it do any harm to user's PC or to collect any private and sensitive data? Their reason for this mostly is "For better browsing experience on the website".

Is it possible to use this as a trick for a possible hack? Also my knowledge of cookies and web hacking is not good enough.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0_o
  • 1,142
  • 1
  • 9
  • 19
  • 28
    Exactly as much as any other button, like the "log in" button or the "view cat pictures" button. – user253751 Oct 17 '18 at 01:45
  • @immibis I don't think so. E.g. would you click on a "log in" button on a website you don't trust? – Dmitry Grigoryev Oct 17 '18 at 08:05
  • 37
    Exactly as much as any other button, **but with the exceptional property that it is far more likely to be clicked by the user without any further thought**. – caw Oct 17 '18 at 13:46
  • 7
    Possible duplicate of [Are EU cookie consent forms safe?](https://security.stackexchange.com/questions/192943/are-eu-cookie-consent-forms-safe) – gre_gor Oct 17 '18 at 18:03
  • 3
    GDPR was implemented on 25 May 2018, so that is pretty much exactly when the cookie notification/consent stuff started. – trognanders Oct 17 '18 at 19:23
  • @caw I don't know about you but I click on links without much thought all the time. – user253751 Oct 17 '18 at 21:31
  • 2
    @immibis We may be different in that regard. But still, those cookie notices have trained you to click almost automatically and instantly when there is something on the page that resembles such a notice. What could such a click cause that simply visiting that page in the first place could not? Well, going fullscreen and opening pop-ups, mainly. Granted, the risks and impact are not too high and it’s not game over when you simply click such a button. That would be a severe vulnerability in browsers. – caw Oct 17 '18 at 22:12
  • You're missing a crucial idea in security by asking this question. Every single possible vulnerability - _will_ be exploited. If it's possible for a website to design a button where clicking it is vulnerable, that's ridiculous. They could just have you click _any_ button to make the same vulnerability - what do the words around the button have to do with the button? Moreover, whatever code runs when you click the button, could just run before you click the button! If _any_ website could download your personal data, then your data will be lost _immediately_. – Nicholas Pipitone Oct 18 '18 at 18:24
  • Browsers are all designed to encapsulate websites so that they cannot interfere with each other, and cannot access the computer its run on. The only thing websites are allowed to touch are files within the website itself (To download pictures, code, etc), and the public files (CSS files, etc) that other websites have. If you had any suspicion that it was possible for a website to do more than this, you shouldn't even have opened your browser to ask this question in the first place - without using a throwaway computer first. – Nicholas Pipitone Oct 18 '18 at 18:28
  • 1
    On the same token, if someone says "I was hacked just by clicking this link in my email" - then they aren't telling the truth or they can redeem $10k+ by reporting the bug to Google (highly unlikely). They must have somehow typed their password into a box somewhere in the website. Clicking is never dangerous, just like how downloading files off the internet is never dangerous (And only running them is dangerous). – Nicholas Pipitone Oct 18 '18 at 18:32
  • 1
    Use [UBlock Origin](https://addons.mozilla.org/en-us/firefox/addon/ublock-origin) and you will have less to worry about tracking cookies. Also, set your browser to delete cookies when you close it. – user21820 Oct 19 '18 at 01:57
  • 4
    "A better experience" = "targeted ads" = "we're trying to take *your* money". I consider cookies to be evil for just that reason; when all this became an issue in the EU, the response was, now you have to click this button to accept cookies to use that website. What if I want to use the website *without* accepting cookies? My browser (Firefox) used to have a delete all cookies on exit option, but that was removed; now I run a short script each week that deletes the cookie data base. Works like a charm. – Jennifer Oct 21 '18 at 03:44
  • 2
    @Jennifer, thanks for noting that Firefox has removed that option! – paul garrett Oct 21 '18 at 22:06
  • "Their reason for this mostly is "For better browsing experience on the website". " Actually it's because if they dont they'll be GDPR banhammered. – Pharap Oct 22 '18 at 10:45

5 Answers5

120

Technically, browsers do not have to ask the user a question in order to use cookies. Furthermore, they are not technically bound to the answer given by the user.

Legally, that is another matter. In the European Union, the websites are now required to ask the user for their consent before using tracking cookies or other means to collect personal data about the user. However, they do not have to ask for the consent of the user to use cookies necessary to provide their service (such as session cookies). Thus, if websites asks to allow cookies, it is in order to legally collect personal data about the user. This data can be considered private or sensitive, depending on the appreciation of the users.

The formulation “For better browsing experience” usually means “In order for us to provide you targeted advertisement, that will earn us more money to make better content.” or “In order for us to provide you targeted advertisement, so you will have (in theory) less irrelevant advertisements”.

A malicious website might not honor their legal obligations. They could ask for the consent and not honor the answer, or they could dispense with asking the question in the first place.

For more information on the law: GDPR on Wikipedia

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • 1
    So we have to trust, And if we don't accpect still they can do what they want. Thank you for the answer btw. – 0_o Oct 16 '18 at 12:31
  • 9
    @AidenStewart If that's a concern you should look at browser security settings and addons to block third party cookies, especially known trackers. – IllusiveBrian Oct 16 '18 at 13:18
  • 15
    `The formulation “For better browsing experience” usually means [better ads]` well, it can also be a legitimate better experience. Various small little things can just be preserved in cookies. E.g., if you go to a weather site and enter your locations, those could be saved and then retrieved from a cookie, so even if you don't have an account, you'd get your most frequent locations preserved. Other settings and data could also be preserved for the user to do less work, hence they get better experience. True, a lot of times it's used for advertising but that's not the only use for cookies. – VLAZ Oct 16 '18 at 14:06
  • 1
    @vlaz That's why I use the word "usually", meaning "most of the time". It implies that sometimes cookies are used for other purposes. I could expand my answer if you think that it would be a worthwhile addition. – A. Hersean Oct 16 '18 at 15:00
  • 26
    Note that the Cookie questions started with the May 2011 EU Directive, not from the GDPR which is from May 2018. The first one is about cookies, the second deals with all data (eg. transfering info about your purchase to a third party which will build a profile about you... even if cookies aren't used). – Ángel Oct 16 '18 at 15:05
  • 1
    @Ángel You are right. However, as far as I know, compliance to the GDPR implies compliance with the previous EU Directive on cookies (and other national laws). Thus the law to look at for a newcomer on the question is the GDPR. – A. Hersean Oct 16 '18 at 15:16
  • @A.Hersean I just wanted to clarify that bit. Other than that bit at the end, I like, and upvoted, your answer. – Ángel Oct 16 '18 at 15:20
  • 6
    @Ángel Unless there was some delay on implementation of the May 2011 directive (I personally am not familiar with it so cannot speak to its content), I suspect it was of a much more limited scope. While many websites had mention of cookies in their footers or terms of service between 2011 and 2018, I certainly did not observe the obnoxious banners requesting consent referred to in this question prior to implementation of GDPR. – jmbpiano Oct 16 '18 at 16:18
  • 8
    @vlaz I don't think you are right, because they don't need permission if they need the cookie to provide you with a service. The law is, as far as I know, formulated just so that they don't need permission for everything that is actually in the interest of the user. If they ask for permission, that automatically means that they want to do stuff that a court of law wouldn't necessarily agree is required to improve user experience (which is part of the service). – Nobody Oct 16 '18 at 16:42
  • 2
    The Cookie Requirements come from the Privacy and Electronic Communications Regulations (PECR) and not from GDPR. PECR was updated when GDPR came into force but it's separate. https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive_2002 – HomoTechsual Oct 16 '18 at 16:59
  • @Ángel The directive of 2011 is not just about cookies. Is about **any** form of tracking, not just cookie based solutions. Quoting from [europa.eu](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_2) it says *you must ask users if they agree to most cookies **and similar technologies** (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.* – Bakuriu Oct 16 '18 at 17:19
  • @IllusiveBrian nailed it! [NoScript](https://noscript.net) **a plugin for Firefox** and also [Adblock Plus](https://adblockplus.org) are the best solutions, period. You have to "train" NoScript sometimes to allow JavaScript on some web sites (especially at first); but that's one of the reasons why it's such a superb security solution. – Mike Waters Oct 16 '18 at 19:55
  • 1
    While the requirement may technically come from 2011, GDPR seems to have raised most companies' awareness of their requirements because of the overlap. That's why all these prompts just started this year. – Barmar Oct 17 '18 at 19:29
  • 1
    I would just add that "For better browsing experience" can also refer to enabling some app features. For example, a store can use your (rough) current location to show you if the product you are looking at is in stock for your local physical store. It's not just ads. – Tezra Oct 17 '18 at 19:46
  • I think the real problem is about users automatically clicking confirm buttons on any site that they land because the button is practically on every site and clicking it became the natural and expected behavior. – Guney Ozsan Oct 19 '18 at 20:49
80

A malicious website could harm you without you having to click on anything. However, the fact that the user clicked on a page element simplifies the task: for example, most browsers would automatically block unsolicited popus (which can e.g. trick users into installing malware), but allow a popup in response to a click.

And yes, in my opinion, a standardised button which users are taught to click over and over without a second thought does increase the risk.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • 45
    `And yes, in my opinion, a standardised button which users are taught to click over and over without a second thought does increase the risk.` similar to an antivirus flagging a lot of false positives that the user is conditioned to ignore or, say, UAC keep bugging you for elevated privilege, so users just grant it to everything. – VLAZ Oct 16 '18 at 14:09
  • 7
    This is why I don't click *either* button unless I trust the site. – Wildcard Oct 17 '18 at 01:26
  • 6
    I ran into a website the other day where there was a button to enable push notifications laid out in the format you'd expect to find a cookie consent button. Of course I clicked it. The conditioning works. – Will Oct 19 '18 at 09:36
  • @Will That wouldn't enable push notifications though. They ask in their own format so they can keep asking it multiple times. If they showed the real dialog (shown by the browser, website can't edit it), they couldn't ask for the permission again if you reject it. So clicking their "fake" button should just show the real browser dialog asking for permission. – FINDarkside Jul 05 '19 at 13:44
12

With recent regulations around data privacy, websites are asking for express permission from users to collect their info from cookies.

Cookies do not harm PCs. The data collected from cookies could conceivably be used in ways that users do not like (Cambridge Analytica comes to mind). Those interested in more private and more anonymous browsing would want to reject cookies (but they tend to do this with browser plug-ins anyway).

Could a malicious website use a button on the site to do malicious things? Yes. But that is true for any link on any website, so this button does not increase your risk.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • So if we are browsing 100's of websites everyday, How can we be sure about keeping our cookies safe? Because basically we are grant them access to our info. – 0_o Oct 16 '18 at 12:24
  • 2
    You do not keep cookies safe. You allow their usage or not. Cookies are a mean for websites to store data on the user's web browser, in a way that will persist across restarts and across websites that use the same tracking services (such as advertisement provider or Facebook "like" buttons). – A. Hersean Oct 16 '18 at 12:31
  • 1
    Just to expand further, if someone wanted to be malicious with cookies. They can just do this via javascript when a page is loaded, or even the initial http response you get from their server before anything is loaded in the browser. There's no need for a user to click on anything. – Sean T Oct 16 '18 at 13:32
  • 3
    @AidenStewart A cookie can only be access from the same domain/website so you don't have to do anything to "keep them safe". Evil.com can't get your cookie from Example.com – Stephen Oct 16 '18 at 13:33
  • 1
    "But that is true for any link on any website" no it's not. clicking any other link is optional in that i'd only click it if it promises something i am interested in, that is, if i want to engage with the actual website, after i have convinced my self that this site is one i can trust (because it offers something i am interested in). the cookie question comes "before" i start engaging with the content, often obscuring part of the site, sometimes even blocking the site. which means, i am compelled to press it before i have a chance to look at the actual site and decide if i want to trust it. – eMBee Oct 16 '18 at 16:29
  • @eMBee that's not universally true either. Lots of sites function without clicking the cookie button, and malicious sites can set up clickable areas without any discernable link or button – schroeder Oct 16 '18 at 16:31
  • 1
    and since every other website now has such a prompt, i am developing a habit to press this button without much thought, just to make the question go away. for any other link that habit does not apply, and any such link would be considered with greater scrutiny. – eMBee Oct 16 '18 at 16:32
  • 3
    @eMBee clicking links without thinking is a consistent risk that does not change in this scenario, regardless of the new purpsoes – schroeder Oct 16 '18 at 16:35
  • sites can set up clickable areas, but i am not going to click them, unless i have a very good reason to. but normally i don't. the cookie button adds an area that i now click by default without thinking. no other click on any website is like that. – eMBee Oct 16 '18 at 16:35
7

Yes, but not more than any other button or link.

The main concern is clickjacking. Somebody who knows exactly where you will click can try to move another click target at this position in the moment you are clicking, so you may for example click "delete my account" on another site opened in an iframe.

Furthermore clicks sometimes unlock more permissions, e.g. all modern browsers disallow popups, except you clicked on something to open the popup. So sometimes sites will lead you to click on something, so they can open a new popup/tab.

This of course applies to any button in a website, so the "accept cookie" button is not worse than a "click here to enter the website" button.

allo
  • 3,173
  • 11
  • 24
0

Malicious like what? Identity usurpation?

Some time ago on Facebook, timelines of several friends showed some suggestive/clickbait link to videos with a false youtube thumbnail. When you clicked on it, a popup appeared asking if the user was human by clicking on a single button.

Clicking on the button silently liked or shared a content on Facebook (because you were still logged in) which published that on your timeline.

As other say : you can hide anything behind any link and the only thing that let you click is trust.

  • When you arrive on that kind of site, check the ads (embedded ads everywhere or adblock counter exploding). If there are too many, leave.
  • Quick google the information provided in the title of a link instead of clicking on it. You might find a Youtube video which is more secure.
  • You really want to see that? Right-click and open in a private window.
  • Learn to detect clickbait and spread the word to your friends not to fall into that trap.
Goufalite
  • 109
  • 3