Words by c.z.robertson

A fun attack on DoubleClick.net

2000-06-19 01:00:00 UTC

I was looking at Mozilla's features for cookie management a few minutes ago and I noticed the ubiquitous DoubleClick id. It was in the form of an eight-digit hexadecimal number. (At least, that's what I assume it was. It could be something a little more sophisticated. If you know it to be so, please let me know.) Assuming that's correct, it would make a fun attack on the system to change the entry in your cookie to another random number in the same format, thus making you appear to be someone else.

Usually I would think that there were ethical problems with this kind of attack, since it could mess up the experience of other DoubleClick users. However, in this case I have no qualms whatsoever. If I thought that targetted advertising was a sufficiently good thing to outweigh the evils of having an unaccountable group collecting a database of the size and scope that DoubleClick require, or if I thought that anyone other than us techies had the slightest idea about what was going on and had deliberately opted in to the system, then I might think differently.

I suspect, though I'm not sure, that if this operation were taking place within the UK it would fall foul of the Data Protection Act, so any UK citizen about whom information is being collected by DoubleClick is allowing something to happen which they specifically rejected in their own country. This probably applies to other countries as well.

A while ago DoubleClick created an opt-out scheme, in which you could go to their website and set your id to be anonymous. In my opinion this didn't go nearly far enough. I believe that schemes of this kind should be opt-in rather than opt-out. If you agree, I invite you to do the same as me. I'll try to create some step-by-step guides in the next few days for those of you who wouldn't know a cookie or a hexadecimal number if you were hit over the head with one.