# Verizon supercookie uses http header injection to track users



## twilyth (Nov 6, 2014)

Not sure if this is the right forum for this so please move as needed.

Since 2012, Verizon has been injecting code into every network request you make from your phone that includes a unique identifier.  Since this code is clearly viewable in the header, it is available to every site you go to.  You cannot opt out of this tracking either.  You're only option is use https or something like Tor or a VPN.

Story



> Verizon’s network — only its wireless network, as far as we know — injects your unique ID into every HTTP request. This doesn’t sound _that_ bad, until I tell you that HTTP headers are public. Every website you visit and every advertising network on that website (of which there could be dozens) can also use your X-UIDH. They don’t need permission from Verizon to do this — the header is right there, just waiting to be used. Even if you do run an add-on like Ghostery to block and delete tracking cookies, or enable Do Not Track, advertisers can still use the X-UIDH header to rebuild an accurate tracking cookie every time.
> 
> Now remember that the X-UIDH header may have been in place on Verizon Wireless’s network since 2012, and random third parties — that Verizon knows nothing about! — may have been building up a near-perfect history of your online behavior the entire time. The EFF reports that Verizon’s networking hardware even injects the X-UIDH header into the data stream of Verizon MVNOs, such as Straight Talk.


----------



## eidairaman1 (Nov 6, 2014)

gov ploy


----------



## Aquinus (Nov 6, 2014)

So it's almost like a static IP address. It's something that lets a HTTP service identify you in a way that may be more specific than an IP address. The only people who will find this useful are companies that already have your information and want to leverage it further. Without in user data, this token basically just says you are someone who made a request to the server before. It's no more different than making a second HTTP request with the same IP, "Oh, we've seen you before!"

All in all, people need to stop making mountains out of mole hills. This is what happens when people try to explain things they don't understand.


----------



## twilyth (Nov 6, 2014)

Aquinus said:


> So it's almost like a static IP address. It's something that lets a HTTP service identify you in a way that may be more specific than an IP address. The only people who will find this useful are companies that already have your information and want to leverage it further. Without in user data, this token basically just says you are someone who made a request to the server before. It's no more different than making a second HTTP request with the same IP, "Oh, we've seen you before!"
> 
> All in all, people need to stop making mountains out of mole hills. This is what happens when people try to explain things they don't understand.


Not really.  Once you enter your name and address on a website that you order from, that information can be shared and datamined.  So you actually become personally identifiable.  This is hardly making a mountain out of a mole hill.


----------



## ZenZimZaliben (Nov 6, 2014)

twilyth said:


> Once you enter your name and address on a website that you order from, that information can be shared and datamined.



That is not even remotely possible. It isn't a cookie and isn't something anyone else can write to. This is just an identifier inserted at the network provider level. While you could gain insight into usage you will never gain access to form submission data like name and credit card number. Now if you stayed on say Yahoo network properties they could for sure track where you went in their network and what you did to serve relevant ads to you...but that is it. This is nothing more than a new approach to behavioral marketing at a different level then session or cookie. The real problem is that the user can not opt out of this tracking, that is the real security/privacy issue.


----------



## twilyth (Nov 6, 2014)

ZenZimZaliben said:


> That is not even remotely possible. It isn't a cookie and isn't something anyone else can write to. This is just an identifier inserted at the network provider level. While you could gain insight into usage you will never gain access to form submission data like name and credit card number. Now if you stayed on say Yahoo network properties they could for sure track where you went in their network and what you did to serve relevant ads to you...but that is it. This is nothing more than a new approach to behavioral marketing at a different level then session or cookie. The real problem is that the user can not opt out of this tracking, that is the real security/privacy issue.


So . . . you don't think that websites share information?  Uh . . . yeah.  LOL.


----------



## ZenZimZaliben (Nov 6, 2014)

Share usage and behavior information. Yes I do.

 And to your point regardless of tracking mechanisms, if you believe that they all share your credit card numbers, first/last name...then making any online transaction is a very bad move. Because regardless of tracking, all any online store has to do is export out their Database and sell that data to the highest bidder, even with HTTPS and every safe guard in place your data is only as safe as the keepers of that data are honest. Which is a very scary thought on its own.


----------



## twilyth (Nov 6, 2014)

ZenZimZaliben said:


> Share usage and behavior information. Yes I do.


But not your name and address when you place an order?  OK.  You should keep believing that.


----------



## ZenZimZaliben (Nov 6, 2014)

Better never make a single online transaction ever. As I stated above your data is only as secure as the keepers are honest and willing to keep it..regardless of alleged security.


----------



## twilyth (Nov 6, 2014)

ZenZimZaliben said:


> Better never make a single online transaction ever. As I stated above your data is only as secure as the keepers are honest and willing to keep it..regardless of alleged security.


You're right.  Which is why I use aliases and a VPN for everything I do online and never use my phone for anything but casual surfing - but that's under an alias too so again, no big deal.

People used to think I was paranoid for doing this and I'm sure many probably still do, but that's changing.  And given how easy it is, there's really no excuse not to do things this way.  Virtually every credit card let's you set up authorized users.  All you need to do is create a few fake identities and make those "people" authorized users.  Then they become your online persona.  The only way to track any transaction back to you is to get the information from your card issuer or a credit report - which is going to be difficult with just a credit card number, especiallly if you use dynamically generated virtual accounts.


----------



## DayKnight (Nov 6, 2014)

twilyth said:


> LOL.



Don't worry. Ignore them when they dont understand and are stuck with their 'view', refusing to learn.

There are two type of people. Type like you and me, aka people with tinfoil hat, and types like them. 

One reason I didn't reply him. You cant talk to someone who, at a whim, makes everything look like a mole and a hill. Ignorance is bliss.


----------



## Aquinus (Nov 7, 2014)

DayKnight said:


> Don't worry. Ignore them when they dont understand and are stuck with their 'view', refusing to learn.
> 
> There are two type of people. Type like you and me, aka people with tinfoil hat, and types like them.
> 
> One reason I didn't reply him. You cant talk to someone who, at a whim, makes everything look like a mole and a hill. Ignorance is bliss.


I'm sorry. I think your ignorance is showing. I say this because I...
A: Have a degree in computer science.
B: Am a web developer and manage several web-based projects.
C: Am intimately familiar with the HTTP spec.

I say this because I work with HTTP every day in my day job and I know damn well what I'm talking about. All they're adding is a unique identifier that says you are a unique person much like a static IP, nothing more, nothing less. The only think that this gives away is that you're a unique person different than other people with a different token on this HTTP request header. Any data that they can use they must collect on their own, this doesn't help them in any way, shape, or form. It does assist with security because they will know if you've logged in with that particular client before. I see it doing more good than bad.

...but please, ignore me and the voice of reason. I only work with stuff like this in my day job on a regular basis and understand that the concern here is minimal. There is zero expectation of anonymity with any TCP web traffic and this doesn't even give away any personal information other than that you're a unique person.

Seriously, get your head out of the sand. You give away more information when you do a Google search.


----------



## twilyth (Nov 7, 2014)

I think anyone who read the article can understand the mechanics of how this works.  It's not complicated.  The point is that a unique identifier gets sent to every site you visit on the web and it's not difficult to then match that with personal information that is inevitably collected such as when you place an order, fill out a form, etc.

The only way this would NOT be an issue is if you could rely on EVERY single site that collects personal information not to share it, and I would hope we all know better than to believe that at this point.


----------



## DayKnight (Nov 7, 2014)

Aquinus said:


> I'm sorry. I think your ignorance is showing.



but of course, you are right, I am wrong.

@twilyth

As you can see...


----------



## Aquinus (Nov 7, 2014)

DayKnight said:


> but of course, you are right, I am wrong.
> 
> @twilyth
> 
> As you can see...


Acting ignorant doesn't make you right.


twilyth said:


> I think anyone who read the article can understand the mechanics of how this works.  It's not complicated.  The point is that a unique identifier gets sent to every site you visit on the web and it's not difficult to then match that with personal information that is inevitably collected such as when you place an order, fill out a form, etc.
> 
> The only way this would NOT be an issue is if you could rely on EVERY single site that collects personal information not to share it, and I would hope we all know better than to believe that at this point.



So they all know that one person is unique across different sites. There are a lot of other things that can do that you don't need a unique identifier to do that. An email address gets you more information.


----------



## ZenZimZaliben (Nov 7, 2014)

Aquinus said:


> I'm sorry. I think your ignorance is showing. I say this because I...
> A: Have a degree in computer science.
> B: Am a web developer and manage several web-based projects.
> C: Am intimately familiar with the HTTP spec.



Here I site with my Electrical Engineering Degree AND CIS minor AND 20 years of programming/web experience but apparently a gut feeling is better logic. LMAO. Thank you for participating in this thread.

....But, but dey haz da Dataminerz. Best hide ur kidz, hide ur wife cauz they be dataminin errybuddy out here


----------



## twilyth (Nov 7, 2014)

Aquinus said:


> So they all know that one person is unique across different sites. There are a lot of other things that can do that you don't need a unique identifier to do that. An email address gets you more information.


I can't believe I have to actually explain this.  Does your email address get sent to every site you visit?  No.  So it's not the same thing at all.  At this point I can't tell if you really believe such a weak ass argument or if you're trying to find some reason to be adversarial.  I'm trying to give you the benefit of the doubt but it's becoming difficult.

edit:  and btw, let's not bury the lede here.  The fact remains that Verizon is using this to track everything that you do on the web - at least from your phone.  Of course we only know for sure at this point that they're tracking your internet usage on your phone.


----------



## ZenZimZaliben (Nov 7, 2014)

twilyth said:


> btw, let's not bury the lead here.  The fact remains that Verizon is using this to track everything that you do on the web - at least from your phone.  Of course we only know for sure at this point that they're tracking your internet usage on your phone.



Absolutely they are tracking your usage 100%. Verizon owns entire ad networks, so you can for sure bet that data is being pushed to any and all affiliates within their network. However, where we differ is the level of information being sent.


----------



## Aquinus (Nov 7, 2014)

twilyth said:


> I can't believe I have to actually explain this.  Does your email address get sent to every site you visit?  No.  So it's not the same thing at all.  At this point I can't tell if you really believe such a weak ass argument or if you're trying to find some reason to be adversarial.  I'm trying to give you the benefit of the doubt but it's becoming difficult.
> 
> edit:  and btw, let's not bury the lede here.  The fact remains that Verizon is using this to track everything that you do on the web - at least from your phone.  Of course we only know for sure at this point that they're tracking your internet usage on your phone.


A single unique ID doesn't give away ANY information. It's when you login to a site like TechPowerUp where you need an email address to register where your account might be tied to this unique ID but that still doesn't give away any information other than the information you already gave away to register. Once again, you still don't know what you're talking about and you need to get off your high horse and listen to what people are telling you.

I'm saying this all because I do it in my day job and I see this stuff all the time, you on the other hand just sit on TPU and post random articles like you're a wannabe TPU news staff.


ZenZimZaliben said:


> Absolutely they are tracking your usage 100%. Verizon owns entire ad networks, so you can for sure bet that data is being pushed to any and all affiliates within their network. However, where we differ is the level of information being sent.


This. If Comcast created some randomly generated ID for me that's unique to my account that every server request will see, what will a server *actually* see? A random id string, nothing more, nothing less. Also what are you worried about? Verizon giving HTTP sites the ability to identify you other than by your IP address or your physical location or any creds you may provide when you log in to a web site. Haha, really funny. How about you learn about what you're talking about instead of acting like you know everything.

I personally can't believe you're so close minded and unwilling to listen and that you let fear overrun your sense of analytics. The simple fact is, you don't know what you're talking about. There is no sugarcoating it. Just because you read something on the internet doesn't make you an expert on the subject. Someone like me who works with it every day is much more likely to know what they're talking about because I use it as the server level all the time. Simply put, I know how to do my job...

So all in all, you can say I'm wrong, but that doesn't change how you're uneducated on the matter and how you can't explain what's actually going on.

The only people who have your personal information AND this token are:
A: Verizon.
B: Sites you've logged into (with password and credentials) with your account.

Is there a security risk? I seriously doubt it... but please, don't believe me.

I only am experienced in the subject so maybe I should start proving some points which I wish I didn't have to do because you're so close-minded but...

I have written a SAML 2.0 IdP and SP and I work with RESTful services every day. Hell, I've written and maintain a Ring routing library in Clojure that works at a very low level with HTTP requests (https://github.com/vlacs/helmsman), I also have been writing an integration service that uses REST (not quite Swamp of POX, and found at: https://github.com/vlacs/informer), I've also written a web framework in PHP, (https://github.com/jrdoane/PlumPHP), how about a SAML 2.0 SP for Clojure (https://github.com/vlacs/saml20-clj) Or a SAML 2.0 SP written for Moodle (which is PHP) (https://github.com/vlacs/moodle-auth_vlasaml20).

Also notice how I didn't list the SAML 2.0 IdP for code I've worked on. That's a REAL security hole if I gave that away. So yes, I know what I'm talking about and I'm not spitting stuff out my rear-end like you are.

What kind of work have YOU done that uses HTTP requests directly that proves you know what you're talking about? I've proven my point, how about you get off your high horse, stop acting like a child, and prove your point. I have, it's your turn...


----------



## twilyth (Nov 7, 2014)

And I hope you continue to believe in your own inflated sense of self worth.  I can see that getting you very far.  Fortunately I really don't care what you do or don't believe and am not quite as enamored of your intellectual prowess.  Good luck.  I think you're probably going to need it.


----------



## Aquinus (Nov 7, 2014)

twilyth said:


> And I hope you continue to believe in your own inflated sense of self worth.  I can see that getting you very far.  Fortunately I really don't care what you do or don't believe and am not quite as enamored of your intellectual prowess.  Good luck.  I think you're probably going to need it.


...but you do care about giving false impressions to people to scare them. My point is that you're wrong and that you have no grounds to say such ludicrous things. I'm just using my knowledge and experience to backup my claims. If all you can do is insult me, then you shouldn't be posting this kind of fud, or even posting anything at all.

I'm not saying this because I'm on an ego trip. I'm saying this because I'm experienced with it and work with it regularly, but you seem more intent on insulting me for describing how you're wrong and why.


----------



## Mindweaver (Nov 7, 2014)

Guys let's calm down, and take a deep breath. Let's stop trying to predict other people's intelligence.


----------



## Easy Rhino (Nov 7, 2014)

i don't see what the big deal is with Verizon tracking my usage or with a website being able to collect data about me. i expect my wireless provider to track my usage for its benefit an di expect most sites to get my information one way or another. verizon never claimed it would not track my usage and websites, unless stated otherwise, don't claim to protect my history with them. and since there are so many ways to avoid being tracked if you so choose it really is a moot point.


----------



## Frick (Nov 7, 2014)

Man I missed you twilyth, but you ARE a paranoid bitch man. No point in denying it.


----------



## twilyth (Nov 7, 2014)

Frick said:


> Man I missed you twilyth, but you ARE a paranoid bitch man. No point in denying it.


Yeah, no denying that.  But it's only paranoia if they're NOT really out to get you.


----------



## Aquinus (Nov 7, 2014)

twilyth said:


> Yeah, no denying that.  But it's only paranoia if they're NOT really out to get you.


I think you're over exaggerating how much "people" (namely companies and the government,) are tracking you. They don't need a little unique ID to learn everything about you. If some organization really wanted to "get you" they wouldn't need a stupid HTTP header like this to do it. But statements like that prove you have an attribution bias on the subject at hand. Fear is a powerful tool and succumbing to it doesn't make you right.


----------



## ZenZimZaliben (Nov 7, 2014)

Here is the basic code used to extract your carrier from the header...This is all it does.

if headers['MSISDN'] then -- TMO
provider = 'TMO'
acr = crypt.hash(headers['MSISDN']);
elseif headers['X-UIDH'] then -- VZN
provider = 'VZW'
acr = headers['X-UIDH'];
elseif headers['x-up-subno'] then -- ATT
provider = 'ATT'
acr = headers['x-up-subno']
elseif testmode then
if not etag and headers['FAIL'] == 'true' then
ngx.exit(ngx.HTTP_NOT_FOUND)
end
end

So other then detecting the device you are on it doesn't do much else, just looking at that code it is almost not worth discussing. It is basically the same as Browser or Device detection such as Mobile/PC/Tablet. This just extracts what carrier the device uses.


----------



## twilyth (Nov 7, 2014)

Aquinus said:


> I think you're over exaggerating how much "people" (namely companies and the government,) are tracking you. They don't need a little unique ID to learn everything about you. If some organization really wanted to "get you" they wouldn't need a stupid HTTP header like this to do it. But statements like that prove you have an attribution bias on the subject at hand. Fear is a powerful tool and succumbing to it doesn't make you right.


You need to work on your sense of humor.


----------



## Mindweaver (Nov 7, 2014)

I'm for data collection... Please, hurry up and figure me out, and only show me what I like to buy, and what stores have it close to me...


----------



## twilyth (Jan 24, 2015)

For those that didn't believe this is an important issue, read this article - http://www.extremetech.com/mobile/1...ies-refuses-to-honor-its-own-opt-out-requests



> Let’s say you visit a website that employs this method _without_ the Verizon header. As detailed at Webpolicy.org, the system simply installs a standard tracking cookie. If you visit it with a Verizon header, the system sets a cookie ID that _corresponds to the Verizon header._ Remove the tracking cookie, and the system promptly reinstates it with the Verizon header. That’s why it’s being called a “zombie” cookie — it comes back once deleted.
> 
> No, the advertiser doesn’t know that UID=123456789 is John Doe from Maryland, but the advertising network can track everywhere that John Doe goes, every website he visits, and every page he touches. If you delete the tracking cookie it’s promptly reconstituted and reassociated with your profile. Full details are available at Mayer’s website, but the collateral damage is significant. Laptops tethered to cell phones on Verizon’s network, for example, can be infected by this process.


----------



## qubit (Jan 24, 2015)

This reminds me of Intel's processor serial number scandal with the P3 all those years ago. Somehow it doesn't surprise me that these big companies will find any and all ways to track what you do.

People shouldn't be so blase about it.


----------

