Cookie stuffing refers to a trick employed by affiliate marketers to earn commissions. These marketers infect a system with a tracking cookie without the owner’s consent. The cookies then make it super easy for them to earn commissions illegally.
The act of cookie stuffing is fraudulent and goes against the affiliate program’s terms of service. It’s so serious that affiliates caught practising cookie stuffing get banned or blacklisted. It also violates privacy laws in most countries as it is a form of unauthorized monitoring.
How does cookie stuffing work?
Cookie stuffing takes advantage of how browsers interact with the cookies involved in affiliate marketing. When a user clicks on an affiliate link and purchases an item off of the vendor’s page, the site creates a unique tracking cookie which is sent to the user’s device.
The tracking cookie helps identify the affiliate account that linked the user with the merchant so that the user can be paid the commission. Cookie stuffing corrupts this process, forcing the user’s browser to secretly download affiliate cookies so that the attacker can then claim compensation for any purchases the user makes.
An attacker can execute “cookie stuffing” by embedding frames, images, and other hidden elements onto websites to push requests to the attacker’s tracking URL. It can also involve using malicious scripts to mimic user activity.
Harmful effect of cookie stuffing
- Unfair distribution of revenue: An affiliate committing cookie stuffing can present more activity even though much of it was gotten through fraudulent means. Legitimate affiliates are robbed of fair compensation by default, casting a shadow of doubt in the legitimacy and quality of the affiliate program altogether if anyone can game it to their advantage.