Abuse of a security feature of the iPad and iPhone allows attackers to track you even if you've cleared cookies or replaced the device. Safari, the browser of choice for Apple devices allows websites to store a value indicating that the site should always be visited using a secure HTTPS connection. If you visit the site later without using HTTPS the browser will remember you and redirect you to the secure HTTPS variant of the site.
By redirecting you to the secure site you are protected from your browser session to be intercepted. However the stored value, required to redirect you, can be abused by attackers. The value is an unique number which can be used to identify and track you. Once the number is on your device, it can be accessed by other sites as well.
The issue has been discovered by former Microsoft employee and software consultant Sam Greenhalgh, who writes on his site, "once the number is stored it could be read by other sites in the future. Reading the number is just a matter by testing if requests for the same web addresses are redirected or not."
Greenhalgh calls the number stored "HSTS Super Cookies". According to Greenhalgh the method can't be evaded by e.g. using incognito mode or private mode on the browser. These features do not allow access to cookies stored in your regular browsing session however when in private mode the HSTS Super Cookie can still read.
"Because HSTS is a security feature and isn't intended to be used for tracking, web browsers treat it differently from cookies. It is only by intentional misapplication that HSTS can be exploited to track users", Greenhalgh writes.
Despite the fact that browsers still have access to the HSTS Super Cookie in private mode, the Super Cookie is erased when an user erases all cookies on FireFox, Chrome and Opera (Internet Explorer currently doesn't support HSTS and is thus not affected). However on Safari, the default browser on iPads and iPhones there is no way of clearing the Super Cookie.
Greenhalgh is worried about how Safari handles the Super Cookie, "HSTS flags are even synced with the iCloud service so they will be restored if the device is wiped. In this case the device can effectively be "branded" with an indelible tracking value that you have no way of removing."
So far Greenhalgh hasn't found the featured abused in the wild but isn't sure whether that means it isn't used somewhere he doesn't know about. On his site you can check whether your browser is vulnerable.
