Skip to main content

Favicons may be used to track users

Security researchers of the University of Illinois at Chicago have discovered a new method to track Internet users that is persistent across sessions, even if users clear cookies and the browsing cache.

The research paper Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers highlights that favicons may be used in conjunction with fingerprinting techniques to track users.

Favicons are used by site to display a small site icon, e.g. in the address bar of browsers that support it but also elsewhere, e.g. in the bookmarks or tabs. Favicons are cached by the browser, but are stored independently from other cached items such as HTML files or site images.

Users who use built-in functionality to clear the cache will have these cached files removed from storage but not favicons. In other words: favicons persist over browsing sessions even if the user clears the cache, and they are accessible even in private browsing or Incognito mode sessions.

Browsers detect and cache favicons of sites automatically, and sites may use a single line of code to specify their favicon.

A single favicon is not enough to identify users based on it, but the researchers discovered a way to plant multiple favicons in the favicon cache. The site does a series of redirects through several subdomains to save multiple different favicons in the cache. Each saved favicon creates its own entry in the cache, and all of them together can be used to identify users provided that enough favicons are saved using the methodology.

favicon attack

Redirects happen without any user interaction as everything is controlled by the site in question.

The researchers tested the attack against the Chromium-based browsers Google Chrome, Brave, Safari and Microsoft Edge, and found them all vulnerable to the attack. They did try the attack on Firefox but found a bug that prevented the browser from reading cached favicon entries. Once fixed, Firefox would likely be vulnerable to the attack as well.

The attack takes a bit of time according to the research paper, but it should be possible to improve the performance with optimizations.

We find that combining our favicon based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds.

The researchers suggest several mitigation and counter-measure options, all of which require that browser makers change favicon-related functionality.

Now You: What is your take on this new tracking method?

This article was first seen on ComTek's "TekBits" Technology News

HOME