COMMAND

    IE

SYSTEMS AFFECTED

    IE 5.x

PROBLEM

    Guille  (Bisho)  found  following.    In  the  Microsoft   website
    http://search.msn.com.mx the  use a  method to  store the  searchs
    done  in  his  search  engine,  but  without  cookies  and without
    login&password.   You could  deactivate the  cookies, delete them,
    log off your  ISP, close the  explorer, reboot, and  the data will
    be there again.

    The link to the script is:

        <A CLASS='CLSSAVE' HREF="" onClick="StoreResult( 1, 'DE' );return false;" ID='DES1'>

    The function is inside:

        <SCRIPT SRC="searchui_IE5.js" LANGUAGE="JScript">

    This is an ugly script  without newlines.  Guille has  procesed it
    a bit to make it more readable:

        $ cat searchui_IE5.js | awk '{ gsub(";", ";\n") } { gsub("}"," }\n") }
        { gsub("{"," {\n") } { gsub("function","\n\nfunction") } { print $0 }'

    The results are in:

        http://www.eurielec.etsit.upm.es/~bisho/searchui_IE5.js.txt

    It  uses  the  called  "User  Data  Persistence"  technology, from
    Microsoft.

    Extracted from the microsoft knowledge database:

        Persistence

        One big pain in  the neck for users  on the Web is  going to a
        Web page,  modifying it  the way  they want  it, leaving, then
        returning to  the site  to find  it's not  the same: the trees
        are  collapsed,  forms  filled-out  have  disappeared, and the
        page must be reset. Internet  Explorer 5.0 takes some of  this
        pain away  by providing  Web-page persistence  via a scripting
        tag.

        Internet Explorer 5.0 provides four types of persistence:

        [...]
        User Data Persistence: Allows an XML-based storage methodology
        for saving  large amounts  of user  data. If  you have a large
        amount of data that you want  to save from some point in  time
        (for example, all of  your favorite sport's teams'  scores for
        the  last  10  years),  you  can  use  persistence rather than
        cookies.
        [...]

    Most people deactivate Cookies, or  set it in the warn  level, but
    the "User  Data Persistence"  has not  warn level,  and is oculted
    far away of  the cookies security  options. this could  be used to
    track users without their knowledge,  when they espect to be  safe
    without cookies.

    This indeed seems to be the case.  Deleting all cookies,  emptying
    the  cache  and  removing  everything  from the Temporary Internet
    Files  folder  does  not  make  a  difference.  The web site still
    displays the saved queries.

    After some digging  around Aleph1 found  where the data  is stored
    (at  least  on  his  machine).   On  his  Windows  NT  4.0 machine
    running IE 5 the data is stored under

        C:\WinNT\Profiles\<user>\UserData\81urcl6v\oQRStore[1].xml

    It seems  some ActiveX  control is  being use  to save  XML to the
    local machine.

    Good  possiblity  something  fishy  going  on  there.  The XMLHTTP
    object is installed and registered with IE5 and functions  without
    prompt under default settings.   The example code below will  send
    an HTTP request to MS, fetch and parse as html the response:

        <script>
        function SubmitTrackingInfo(){
        var objHTTP = new ActiveXObject("Microsoft.XMLHTTP")
        objHTTP.open("GET", "http://www.microsoft.com", false)
        objHTTP.send()
        xmlDoc=objHTTP.responseText
        document.write("<html>" + xmlDoc + "</html>")
        }
        SubmitTrackingInfo()
        </script>

    In the case  of the search.msn.com  example.  There  is additional
    data being sent back to the server:  objHTTP.send("BSTR")}function
    fnInit(store).  Clearly the name of the function firing all  this:
    "SubmitTrackingInfo" can suggest some things.  More so the  recent
    "ballyhoo'd"  anouncement  by  MS  to  allow  greater control over
    privacy  for  their  customers,  with  the  addition of a "cookie"
    privacy control add-on for Internet Explorer 5:

        http://www.microsoft.com/presspass/features/2000/jul00/07-20cookies.asp

    So,  while  _everyone_  else's  "cookies"  are  curtailed  by this
    privacy  add-on  for  Internet  Explorer,  Microsoft's  operations
    utilise this method of  'non-cookie" tracking?  Conspiracy  theory
    of course.

SOLUTION

    Not a  big problem  but certainly  a privacy  issue.   Advertisers
    would love to use  something like this so  this since the user  is
    not aware of where the data is stored.

    userData Behavior

        http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/userData.asp

    saveSnapshot Behavior

        http://msdn.microsoft.com/workshop/author/behaviors/reference/behaviors/savesnapshot.asp

    Persistence Methods in explorer

        http://msdn.microsoft.com/workshop/author/persistence/overview.asp