Yet another bit of history repeating
They used to store state on the customer machine so you could do all kinds of interesting things by playing with the cookies.
When I tried to report it to them they subscribed me to a mandatory, no opt-out one month marketing campaign including cold calls so I know _WHAT_ kind of attention to expect to reporting any vulnerabilities in the future.
I just cut the card and chucked it in the bin after that. They are persona non-grata in my household.