I was thinking about the recently reported Firefox Cookie Bug https://bugzilla.mozilla.org/show_bug.cgi?id=370445 , especially the second demo http://lcamtuf.dione.cc/ffhostname_cnn.html , which allows the extraction of cookie values from a 3rd party site. This had me examining the cookies set by Google when I log in and log out.
I wasn't particularly happy to find my unencrypted email address available in a cookie in a Google subdomain, even after having logged out (set to persist for 5 years). Regardless of Fx bugs, this isn't particularly sane Personally Identifiable Information (PII) management. Not to say that Google is the only one doing this, either – there are most definitely other high profile sites that write this type of data to cookies.
Anyone heard any rumblings about this in the wild? |