What is Cookie Stuffing Online

Cookies have been used on the Internet since its inception for both good and bad purposes. By using cookies to track the activity of users online, companies can provide them with a more personalized experience. However, since this can be abused, there have been many rules, regulations, and laws put in place determining how cookies can be used. Even so, there are still some who would ignore these regulations and engage in illegal practices such as “cookie stuffing.” However, to understand what cookie stuffing is, you first need to understand what affiliate marketing is.

Affiliate Marketing

Affiliate marketing is when a publisher known as an affiliate sells a product that someone else owns. When an affiliate makes a sale, they get a cut of the revenue. This is called a commission. Cookies are used to track this using embedded code in an affiliate link. This way whenever a customer uses the link to get to the online store where they make their purchase the affiliate marketer that set up the link will get credit.

What is a Cookie?

To understand the inner workings of a cookie, you need to know the components that it’s made of. Here is a quick list of what makes up a tracking cookie:

  • Name
  • Path
  • Expiration Date
  • Domain
  • Value

When it comes to cookie stuffing, the most important components are the path and domain. The path determines what parts of a site can use the cookie, while the domain indicates the issuer of the cookie. Using this information as a part of a cookie stuffing code contained in the value allows unethical individuals to hijack sales from affiliate websites.

How Cookie Stuffing Works

A cookie stuffing script is usually applied to a person’s web browser. When the person with the infected browser makes purchases online, the cookie will then give credit to whoever installed it. Cookie stuffing can affect specific web pages or entire websites. It just depends on the circumstances. In any case, cookie stuffing will rob affiliates of commissions that are rightfully theirs.

For example, let’s say that a publisher creates a blog centered around reviewing dog care products and posts an affiliate link at the end of each review to the store where they can be bought. If a person using a browser infected with cookie stuffing code visits their blog and uses their affiliate link to make a purchase, then the owner of the blog will not get credit for the sale. Instead, the credit, and the commission to be paid, will go to whoever installed the cookie stuffing script in the infected browser.

How Do Malicious Cookies Get on a Website?

In addition to web browsers, cookie stuffing can also be used on affiliate websites directly. Generally speaking, there are four ways that unwanted cookies can infect a website:

  • JavaScript
  • Stylesheets
  • Iframes
  • Pop-Ups

In the case of popups and iframes, it is usually a matter of the publisher accidentally installing malicious code. For example, they may download a popup program in an attempt to increase sales but the popups have a cookie stuffing script in them that will give credit for those sales to the third party.

JavaScript and stylesheets are much more subtle when used for cookie stuffing. JavaScript can redirect visitors to any page using third-party affiliate cookies that steal credit for sales. CSS stylesheets are even more deceptive and can be used to disguise third-party affiliate links as images.

How to Deal With Cookie Stuffing

Preventing cookie stuffing is difficult. However, knowing how to detect cookie stuffing will allow you to get rid of it before much harm is done. To determine whether or not a site contains malicious third-party cookies, you can clear your browser’s cookies and then visit the site to check what cookies are being added to it. This will instantly reveal any malicious cookies and/or cookie stuffing that’s going on.

If you run an affiliate website, you can also detect cookie stuffing by checking your analytics regularly. If there are significant deviations in traffic/conversions it could be a sign of cookie stuffing. Also, if you review your user data and find cookies being set without any action being taken, such as clicking an affiliate link, then that’s a sign that your site may be the victim of cookie stuffing.

Overall cookie stuffing is a very deceptive way for unethical individuals to make a profit at the expense of others. However, cookie stuffing is easy to recognize and eliminate if you’re vigilant and check your website and/or browser regularly.

GeoEdge is the trusted cyber security and ad quality partner for publishers and platforms in the digital advertising industry. With more than a decade of experience, we’ve built solutions to prevent tomorrow’s threats, today.‎

Malvertising, the practice of sprinkling malicious code into legitimate-looking ads is growing more sophisticated. GeoEdge’s holistic ad quality solution has you covered.


450+ Publishers & Platforms