Bizarre Apple Safari cookie bug perplexes users

Filed Under: Apple, Apple Safari, Featured, OS X, Privacy

For the past few weeks, it looks as though Safari on OS X 10.6.8 has not been handling website cookies correctly, as a Naked Security reader from Toronto pointed out recently.

This issue has also popped up on Apple's own Support Communities forum.

The problem is that even if you tell Safari to block all cookies, it doesn't. Websites use cookies to keep track of your browsing during and between sessions, so that cookies and browsing privacy go hand-in-hand. It's therefore rather a worrying sort of bug when a browser doesn't deal with cookies precisely as you'd expect.

On OS X 10.6.7, setting the Safari 5.05 (build 6533.21.1) option Accept cookies: Never would do just that. Cookies would neither be stored nor transmitted by the browser.

Upgrade to OS X 10.6.8, however, and even though the Safari version and build number remain the same, the browser's behaviour does not. Some, but not all, cookies, are stored and transmitted by the browser, even when you've insisted that Safari allow no cookies at all.

There's no obvious rhyme or reason to the cookies which sneak through when they aren't supposed to - in my tests (I visited apple.com/startpage, sophos.com and bing.com) a mixture of session, short-term and long-life cookies appeared in the mix.

In Safari 5.1, Apple's terminology does an about-face, so that you need to Block cookies: always - a command which somehow sounds even stronger than never allowing them - but the bug persists, at least on OS X 10.6.8.

(Note that the Privacy tab of the Preferences pane no longer shows you the actual cookies which are set, as it did in Safari 5.0.5. To view cookies in 5.1 you need to use Develop|Show Web Inspector|Resources|Cookies.)

Interestingly, this bug does not seem to appear on OS X 10.7, better known as Lion. Apple seems to have fixed the underlying fault, since Block cookies: always works as you would expect.

Nevertheless, this is cold comfort to those of us who can't, or won't, spend the $30 needed to upgrade to Lion. (As I mentioned before, I'm waiting until I can purchase an official, bootable, installable distribution of Lion before I'll go near it.)

You need to be able to rely on your browser to do the right thing with cookies. Wrongly managed, they represent a potentially significant privacy risk, since cookies are used for a variety of tasks from post-login session authentication to long-term user identification.

So, if you're a 10.6.8 user, why not report this bug to Apple? I did. It's easy: just visit Apple's official OS X Feedback page.

, , , , , , ,

You might like

32 Responses to Bizarre Apple Safari cookie bug perplexes users

  1. sunbimr · 1095 days ago

    My best guess is that Adobe and its Flash cookies are spawning cookies in Safari, even after you delete and then relaunch Safari, the Flash cookies cause new cookies.
    I knew there was a reason I don't like Flash and the Flash cookies.

    • Paul Ducklin · 1095 days ago

      That seems a rather wild supposition to me. At least some of the cookies which appear when they ought not to are entirely unrelated to Flash - for example, they relate only to web site authentication. And even if Flash were somehow involved, the bug shows up as erroneously-saved cookies _in the browser's own stash_. Which shouldn't happen.

      I think if you want to dislike Flash, it would be fair to find a reason which stands up to scientific scrutiny. Coming up with such reasons is left, as they say in Theory of Computation textbooks, as an exercise to the reader :-)

    • Dan · 1083 days ago

      Except for your totally wrong, that's a good idea. Flash 'cookies' aren't like regular web cookies and do not show up in the cookie list as shown here. Apple is the problem - not Adobe. Don't be such a mindless fanboy.

  2. Deane Goodman · 1095 days ago

    Sorry sunbimr, but that's a ridiculous response.

    I don't know you to judge, but that sounds like a typical Apple fanboy response: Apple say that Flash is evil so Flash must be evil. There may be valid reasons for disliking Flash, but this not one of them.

    If the issue was down to Flash then OS X 10.6.7 would have the same issue as OS X 10.6.8, but it doesn't.

    Bottom line: There is a bug in OS X 10.6.8 and this bug has security implications. More disconcertingly, why haven't Apple highlighted/publicised/fixed this bug in this version of OS X.

  3. anthony aaron · 1095 days ago

    As you said -- "I'm waiting until I can purchase an official, bootable, installable distribution of Lion before I'll go near it."

    Earlier this week, several articles appeared on various Mac-related web sites outlining the simple steps to make a bootable, installable of Lion on either a DVD or a USB thumb drive.

    • Paul Ducklin · 1095 days ago

      As I said, I'm waiting until I can purchase an official, bootable, installable distribution of Lion before I'll go near it.

      Firstly, I want the assurance that Apple officially supports and endorses my right to reinstall off-line, to a disk of my choice, at a time of my choice.

      Secondly, I don't want to have to have to have an App Store account _to buy the OS itself_. If I suspect that OS X is going down the "closed shop/closed filing system" approach of iOS, I'm going to switch back to Linux or one of the open-source BSDs.

      Thirdly, I want to pay cash, thanks.

      • Matt · 1095 days ago

        You can pay cash: buy an iTunes card from a service station.

        Your other reasons are weak.

        • Paul Ducklin · 1095 days ago

          Hmmm. Well reasoned argument there. You almost convinced me...other than the complete lack of explanation :-)

          Sorry. I don't want to use an operating system that I can't reliably, officially and easily reinstall from a vendor-approved installation medium. I can't see how that's a "weak" reason for not being willing to buy what purports to be a brand new version of an operating system in the form of a one-shot update from the previous version.

          And as for an unwillingness to be forced to shop "at the company store", I'm against that. Just seems a risky path to go down, ceding ever more control back to Apple. (Apple won't approve software in the App Store which contains kernel drivers, or which installs files outside the Applications hierarchy. Fancy a file in /usr/local/bin? Sorry. No App Store for you. Yet Apple itself chooses to publish _the whole OS_ there. "Do as I say, not as I do." I don't quite know why that makes me feel something isn't right. But it does.)

      • Matt · 1095 days ago

        You want a good reason? How about software that won't run. I have plenty of that.

        • Paul Ducklin · 1095 days ago

          That's a good reason. Care to share some examples?

          • http://roaringapps.com/apps:table gives the breakdown.
            The main issues are with some Adobe products and Intuit Quicken (not Essentials, which doesn't support the same features).

            I'm in the middle of the month of "what do I need to do to get my environment working on Lion" myself... I figure by the time the USB version comes out, I should have all the show stopping issues ironed out. So far, I've found replacements for all my software that won't work, although things like having to recompile all of Adobe's bundled CS4 Applescripts because they compiled them PPC-only is a bit of a pain. On the plus side, NeoOffice now has builds supporting all Lion's versioning/resume/etc. features, so Office files are not only covered, but covered well.

      • Forget paying cash, just pay by saying thanks and torrent it. It's what all the cool kids are doing nowdays.

      • Jose Cardoso · 1095 days ago

        I'm sorry but you sound like a pretentious prick.

        There has been a verifiable and reliable way to install Lion from DVD or USB media since Lion Developer Preview 1.

        Simply open the package contents of the Lion installer as downloaded from the App Store and burn the InstallESD.dmg file to a USB stick or DVD.

        I have been doing this for months now with no issues and no side effects.

        Off course Apple will be selling $60 Lion USB sticks in August for fools like you so feel free to waste that extra $40 on a pointless crusade.

        • Paul Ducklin · 1094 days ago

          Pretentious? Watashi wa?

          Interestingly (or perhaps not), pretension is an attitude. In that respect, it can at least be adopted or shrugged off at will. But you, Sir, are both illiterate and innumerate, characteristics which cannot. Touché!

          (I'm joking. But only just, since I'm rarely delighted to be addressed as both a prick and a fool.)

          On the literacy front, I'm looking for confirmation that Apple _officially endorses_ standalone installation. The fact that there's a workaround is not enough. Note the word "official". I can't see why it's too much to ask or expect OS vendors to support officially the reinstallation of their OS from scratch on a new disk, without going through "install the old one and go back online" hoops.

          As for numeracy, I too have heard that the USB sticks will be $60. Let's assume that's correct. If so, that's not an extra $40 but an extra $30. Lion doesn't cost $60-$40, after all. It costs $60-$29.99. (Did you like how they sneakily increased the price of the upgrade by nearly 3.5% with that easily-overlooked 99 cents - so much for the downward pressure on prices exerted by the App Store.)

        • Darren · 1072 days ago

          Amazing!!!

          I, like Paul, would prefer if things went wrong to use an official disk to reinstall from, rather than make my way back to some no-longer-supported version and then try to update online to the latest version of the OS. Sometimes I just like that comfort and to know everything I depend on, I have at hand, rather than requiring online connectivity and account credentials.

          However, even if I didn't, I'd respect his right to his own opinion. Calling him a prick or fool just because he doesn't share your viewpoint is hilarious - you really are a complete knucklehead. Your friends must be very proud to know you :-)

  4. It's things like these that make Chrome my go-to browser on my Mac; that and Incognito mode, I'm a big fan of that.

  5. Aaron Sigel · 1095 days ago

    Assuming that someone took the time to see that cookies that they tested were not being set in Safari when purposely browsing and looking for them, it is not unlikely or impossible that what is occurring is that the cookies are being set by other WebKit-based clients.

    See, even if Safari is abiding by the setting to not accept cookies, that may not be the case with other applications such as Mail.app, the Mac App Store, 3rd-party software, and others. Since code doesn't normally do things for "no rhyme or reason" I suspect that affected users may be able to test this out easily. Just clear your cookie store and watch it as you surf and do nothing else. If it doesn't grow, then start reading your email (especially if you have the loading of remote images enabled in Mail.app), or use 3rd party software, and watch to see if cookies suddenly start showing up.

    Safari may well be abiding by its preference setting to not accept cookies while other WebKit based clients may not have such a setting and be setting cookies in there. The cookie store in question is ~/Library/Cookies/Cookies.plist

    If I am right about this, it does not mean that this is all that expected behavior to users, but at least should shed some light on what may be occurring. It also can help users who are concerned about it figure out what actions they, their operating system, or their third party software are taking that causes this. Correlation between the cookies and the applications is often very telling (for example, what domains the cookies are being set for.)

    That said, if I had an affected system I would test this out. It's not like Apple never has real security bugs.

    • Paul Ducklin · 1095 days ago

      I implied in the article that the bug is not strictly in Safari, since 5.0.5 starts showing this behaviour after you move from 10.6.7 to 10.6.8, although the 5.0.5 build number stays the same.

      I'm not sure what you mean, though, by "even if Safari is abiding by the setting to not accept cookies" and "Safari may well be abiding by its preference setting to not accept cookies".

      In my tests - and I had an affected system, so I actually _did_ test it out - I think I showed that Safari is definitely _not_ abiding by its preference settings.

      I told Safari to "block cookies always," (or "allow cookies never" with 5.0.5), removed all cookies _with Safari_ and immediately browsed to the web pages listed above _with Safari_. I then examined the cookie stash _with Safari's own cookie examination tool_. And there they were.

      So I think we can regard my conclusion as safe, namely, there's a cookie-handling bug somewhere in 10.6.8, and it's readily made obvious by the use of Safari alone.

      Whether this bug can be revealed with the use of software other than Safari is interesting, and possibly even important. But your thought experiment doesn't swerve me from my conclusion that there's a cookie-handling bug and it reveals itself in Safari :-)

      • Aaron SIgel · 1095 days ago

        As far as abiding by the preference to not accept cookies, I was just indicating that even if Safari didn't accept new ones, other applications could, and those could end up getting served.

        You seem to think that because it shows up with "Safari's own cookie examination tool" that it is added proof that it was set by Safari. This is not actually how cookies work with the Cookies.plist store. So that doesn't really add much weight to the argument either way.

        It sounds like your test was likely accurate.

        That said, I am sure you are technical enough to have evaluated if extensions or plug-ins could be related to this, but just on the safe side it seems worth mentioning they could do it too. Note that sometimes depending on the plugin or extension it may happen right about the same time. I've specifically seen that happen with password managers, and expect the same is true for anti-phishing toolbars.

        Again, not saying any of this is right, just that it seems possible, and could help those affected to know why or when it might occur.

        • Paul Ducklin · 1094 days ago

          I regard it as "proof enough" that after visiting (say) sophos.com with all cookies blocked, and then immediately going to Safari's Privacy pane, the browser tells me "one website has set cookies".

          But you are right to remind everyone that since this issue doesn't appear to be Safari-specific, but OS X cookie management specific, it's actually a broader privacy glitch than I might have implied.

          So if you do report it, perhaps make this point as well :-)

      • Aaron Sigel · 1095 days ago

        By the way, it is obviously important for people to highlight potential privacy bugs in products and make sure that they get the attention/fixing they deserve, so overall your cause is a good one. I assumed that went without saying.

        Additionally, I am glad to see you guiding people to notify the vendor.

  6. artfrankmiami · 1095 days ago

    Can we please stop saying Flash haters are "Apple Fanboys". Flash was a great way to do many things when it came out, but developers became lazy and asume everyone has high speed broadband and bloat their code. A friend of mine still codes his flash like it's 1999 and 56k modems. then of course hackers figured a way to use flash to distribute their malwares. Yeah, it's a pain to have an iphone (which I don't) and flash based sites don't work. I think the other beef was over video distribution. Flash usually hiccups and Jobs put that hardware rendering built in because he felt it was better.

    I have a mac, I complain all the time I feel ripped off, but I have a software investment, so i put up with it, plus I still think it works better than PCs, but Windows 7 worked pretty good when i had to use it.

    I don't blame Paul for not wanting to use the app store. I want a disk, too.

  7. Peter Bance · 1095 days ago

    There may be a small amount of rhyme or reason involved here - from the examples you show (and a quick look at apple.com), two of the cookies set are session cookies, set via HTTP requests, while the third appears to have been set by JavaScript. Were any persistent cookies set through HTTP requests for Bing or Sophos? Did the previous version of Safari block session cookies as well?

    I'm just wondering if the difference between the OS versions is with the JDK, rather than the browser...

    Of course, it's not our job to help Apple troubleshoot their code, but I feel there must be *some* logic behind what is and isn't blocked!

  8. Lowly Guest · 1072 days ago

    Maybe because I'm not as technologically saavy as everyone here and being cynical .... Could it simply be that Apple has decided to make more bucks by partnering with the businesses that benefit from leaving all those cookies, tracers, ads, etc. and allowing these cookies, etc. in? I find it extremely strange that for "lesser" versions of the browser and hardware the issue didn't exist and now with this version when it's supposed to improve issues - it actually caused more issues. Also a point made above about going to Lion if you use Snow Leopard - to "fix" the problem .... hmmmm. I think its all about money for Apple and Apple the company and creator of Safari is the problem. Create a "need" to upgrade, buy more software, etc. and make $$, either from the Apple customer or by making money from the advertisers, etc. by allowing them to infiltrate your computer and harass you whether you want it or not.

    Just a lowly guest's comments.

  9. Dave · 1048 days ago

    I am on 10.6.8 and using Safar 5.1. Block cookies is set to NEVER. I download via an IMG tag a transparent GIF from a third-party site that has a set-cookie header with a session cookie. It is not begin saved. Can't get much simpler than that in demonstrating the problem.

  10. Agmois · 848 days ago

    I am running OSX 10.7.3 and Safari 5.1.5 (7534.55.3) and have "privacy" set to "Always" (block cookies). After I delete all the cookies, they are slowly coming up the list again. WTF?

  11. Lisa · 842 days ago

    I'm having the same issue. I have all cookies blocked but over and over again they reappear. I even delete adobe cookies manually and clear all meta data and still the cookies show up. I don't know why apple doesn't fix this. There is also an issue with web sites not loading or loading incompletely. For instance, say I go to some site I want to buy something at. It appears to load but when I try to click on an item or place something in a shopping cart nothing happens. The page is frozen. reloading and clearing cookies does not resolve it. Contacting the web site leaves them stumped. It happens at numerous sites. What can I do?

  12. disgusted · 779 days ago

    Does anybody think the "cookie bug" in Safari is anything other than an Apple strategy to get people to fork over $30 for Lion?

  13. fred · 438 days ago

    I have been running Lion since the outset and still cant block cookies.
    I run CCleaner.com to clean my Mac, but they come back every time I browse.

  14. Hayden · 387 days ago

    I am on Mac OS 10.8.4 and Safari 6.0.5 and this is also happening to me.

    People at Apple, this is a security and privacy issue!!. Apple was renowned for being good at security, why is it you are letting us down?

  15. bko · 375 days ago

    I have the same problem with an inability to block cookies (OS 10.6.8; Safari 5.1.8), but sites which demand cookies think I have cookies turned off. If I check "block: [cookies] from third parties and advertisers" I am allowed to view the site.
    I now presume ALL cookies are allowed (as if I had checked "block [cookies]: never") because unsavory cookies from nowhere turn up regularly. Checking the library indicates I have no cookies saved.
    I wipe cookies and cache clean at least once a day. That, at least, seems to work for preventing many targeted ads and googlevision. Updates have not yet fixed the problem.
    Does anyone think Apple doesn't know about this?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog