Skip to main content
Panopticlick
PERSISTENT
top secret

Supercookies

Tracking that survives everything you throw at it

November 30, 2025

What are Supercookies?

Regular cookies are like name tags—easy to remove. Supercookies are like tattoos: persistent, hard to erase, and often invisible to the user.

These tracking mechanisms abuse legitimate browser features (caching, security headers, storage APIs) to store identifiers that survive:

  • Cookie deletion ("Clear browsing data")
  • Private/Incognito browsing
  • Browser cache clearing
  • Some even survive browser reinstallation

WARNING: Supercookies are banned by most platform policies but still widely used. Major companies including Verizon, Hulu, and KISSmetrics have been caught using them.

HSTS Supercookies

HTTP Strict Transport Security (HSTS) is a security feature—it tells browsers to always use HTTPS for a domain. But it can be weaponized for tracking.

How the Attack Works

  1. Tracker controls multiple subdomains: a.tracker.com, b.tracker.com, etc.
  2. On first visit, specific subdomains are set as HSTS (HTTPS-only)
  3. This creates a binary pattern: a=1, b=0, c=1, d=1 = "1011"
  4. On return visits, browser's HSTS behavior reveals the stored pattern
  5. Pattern = unique identifier that survives cookie deletion
// HSTS Supercookie Encoding
User ID: 42 (binary: 101010)

Subdomains set as HSTS:
✓ bit0.tracker.com (HSTS ON)  = 0
✗ bit1.tracker.com (HSTS OFF) = 1
✓ bit2.tracker.com (HSTS ON)  = 0
✗ bit3.tracker.com (HSTS OFF) = 1
✓ bit4.tracker.com (HSTS ON)  = 0
✗ bit5.tracker.com (HSTS OFF) = 1

Reading: Check if HTTP → HTTPS redirect occurs
Result:  Decode binary → User ID 42
Persistence
Months to Years

HSTS entries can persist for extended periods

Clearing Difficulty
Very Hard

Requires finding and clearing HSTS settings specifically

Favicon Cache Tracking

Your browser caches favicons (the little icons in browser tabs) to speed up loading. This innocent feature becomes a tracking vector.

The Technique

  1. Website serves a unique favicon per user on first visit
  2. Favicon is cached—browser won't request it again
  3. On return visits, server checks which favicon the browser requested
  4. Cached = returning user; new request = new user

Real-world example: A research paper demonstrated tracking users across 2+ years using favicon caches, even after they cleared all cookies and browsing history.

Why it's nasty: Favicons are rarely cleared. Most "clear browsing data" options don't touch them. Even switching to Incognito mode might not help if the favicon is already cached.

ETag Tracking

ETags (Entity Tags) help browsers know if cached content is fresh. When abused, they become persistent identifiers.

Normal ETag Flow

Server: ETag: "abc123"
Browser: (caches image with ETag "abc123")

Later...
Browser: If-None-Match: "abc123"
Server: 304 Not Modified (use cached version)

Tracking Abuse

First visit:
Server: ETag: "USER-ID-7a3b9f2c" ← Unique per user!

Return visit:
Browser: If-None-Match: "USER-ID-7a3b9f2c"
Server: "Ah, user 7a3b9f2c is back!"

→ Identifier stored in HTTP cache
→ Survives cookie deletion
→ Works across sessions

KISSmetrics scandal (2011): This company was caught using ETag tracking to respawn deleted cookies. They settled a class-action lawsuit but the technique lives on.

localStorage & IndexedDB

Modern browsers provide powerful storage APIs. While not as sneaky as HSTS or ETags, they're commonly abused for tracking persistence.

localStorage
  • • 5-10 MB storage per origin
  • • Persists until explicitly cleared
  • • Synchronous API (simple to use)
  • • Often forgotten when clearing data
IndexedDB
  • • Much larger storage capacity
  • • Supports complex data structures
  • • Async API with transactions
  • • Often survives "clear cookies"

"Cookie syncing" combines these methods: if one storage mechanism is cleared, others restore the ID. Evercookie demonstrated respawning from 17 different storage locations.

Other Supercookie Techniques

Flash LSOs (Deprecated)

Flash "Local Shared Objects" stored tracking data outside browser control. Mostly dead now that Flash is gone.

Silverlight Storage (Deprecated)

Microsoft's Flash competitor had similar isolated storage. Also dead.

window.name

Still works! The window.name property persists across page loads and can store tracking data invisibly.

CSS :visited History

Browsers now limit this, but historically your browsing history could be probed via CSS link styling.

Defense Strategies

Tor Browser

Best defense. New circuit = new identity. HSTS state is isolated. Clears everything on close.

Firefox: Clear on Close

Settings → Privacy → "Delete cookies and site data when Firefox is closed." Also check "Clear history when Firefox closes" with all options.

Chrome: Manual HSTS Clear

Visit chrome://net-internals/#hsts → Query/Delete HSTS entries. Tedious but effective.

Brave Browser

Aggressive defaults that clear various storage mechanisms. Good balance of usability and privacy.

The Nuclear Option

Use browser profiles. Create a new profile = completely fresh state. All HSTS, caches, and storage start from zero. Some privacy-focused users create disposable profiles for each browsing session.

← Previous: FingerprintingNext: Behavioral Tracking →
Technical Brief
High Threat