Researchers have discovered a new technique that can track internet users using the humble Favicon. The method doesn’t need a specific web browser as all the major ones are vulnerable.
Concerningly, the newly discovered method can track users across multiple sessions. Moreover, domains, websites, or determined internet services can track users even if they regularly clear cookies and their browsing cache.
Favicon is one of the most persistent and resilient of digital objects:
Security researchers of the University of Illinois at Chicago have published a research paper titled ‘Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers’. The paper reveals a new method to track Internet users that is persistent across sessions. Moreover, tracking can continue uninterrupted even if Internet users clear their web browser cookies and the browsing cache.
Favicons are tiny icons that represent the websites users visit. While some website developers ignore this feature, the majority of websites usually deploy a miniature iteration of the main icon as the Favicon.
Persistent tracking of users without cookies? With favicons! Yes, the little icons next to the URL bar in your web browser. User interaction/consent not needed. Supercookie! #GDPR #ePrivacy https://t.co/X7qaFn5neC pic.twitter.com/GBgiIqb5pD
— Lukasz Olejnik (@lukOlejnik) January 14, 2021
Incidentally, Favicons not only reside in the address bar of browsers that support it but also elsewhere. These miniature icons remain in the bookmarks and also tabs.
In addition to the aforementioned places, web browsers also cache Favicons. However, they store it independently. In other words, browsers do not club them together with other cached items such as HTML files or site images.
All this means Favicons are omnipresent in a web browser, much more than internet users assume. What’s even more concerning is that by their very nature, Favicons are far more resilient to obliteration by conventional digital cleaning tools.
Privacy-conscious users usually have built-in functionality to clear the cache of web browsers. While the cleaning tools can get rid of cached files from storage, the Favicons are left untouched.
Simply put, Favicons persist over browsing sessions even if the user clears the cache. Incidentally, Favicons are present and accessible even during private browsing or Incognito mode sessions.
How Favicons offer user tracking, and how to safeguard against the method?
A website merely needs a single line of code to specify its Favicon. Web browsers detect and cache the Favicons of sites automatically.
Incidentally, a single favicon is not enough to identify users. However, researchers have discovered a way to plant multiple favicons in the favicon cache.
To set tracking in place, a website can execute a series of redirects through several subdomains. Doing so will force the web browser to save multiple iterations of Favicons in the cache. Redirects do not need any user interaction.
Firefox is resistant to new favicon-fingerprinting—not because of some superior anti-tracking mechanism, but rather due to a bug via /r/firefoxhttps://t.co/AN8WT0RXaz
— Daniele Scasciafratte 🇮🇹 (@Mte90Net) January 19, 2021
Each saved Favicon creates its own entry in the cache. And websites can generate a sufficient cluster and use the same to identify users.
Favicons, when used with other standard digital user fingerprinting techniques, are a powerful and effective way to track internet users. Researchers tested the Favicon tracking technique on Chromium-based browsers Google Chrome, Brave, Safari, and Microsoft Edge. Needless to add, all the browsers were vulnerable.
With current technology, and the preliminary techniques, the Favicon tracking method is a bit slow and cumbersome, claim the researchers. However, websites can improve the performance with optimizations.
The only way to protect internet users from such stealth tracking tech is to alter the way Favicons are managed. In other words, browser makers must change their Favicon-related functionality.