As Apple prepares to launch its anti-tracking update for iOS, Facebook and other companies that have built their business on invading users’ privacy are nervous about the future. But there’s always a new vulnerability waiting to be discovered. For instance, researchers now claim that a website’s favicon can be used to stealthily track users in a way that’s difficult to shake off.
Favicons are that tiny little icon that displays in the corner of a browser tab when you have a website open. On Gizmodo, you should see a “G” logo in the tab above. German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable “in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers.”
As Motherboard points out, Strehle started building the project after reading a research paper from the University of Illinois at Chicago that describes the technique. The basic gist of the method starts with the fact that favicon’s get cached in your browser the first time you visit a website. When you return to the site, the browser checks to see if the favicon has been stored in its own special home on your machine that’s called the F-Cache. If the data is out of date or missing, the browser requests data from the website’s servers. Strehle explained what happens next in a write up on his website:
A web server can draw conclusions about whether a browser has already loaded a favicon or not:
So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent.
By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client.
When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.
Long story short, the favicon is an innocuous little bugger that can become what Strehle calls a “supercookie,” making it very hard for a user to avoid being tracked by a site.
Researchers at the University of Illinois in Chicago said that the tracking method works in all major browsers and due to the severity of the threat, they have proposed “changes to browsers’ favicon caching behaviour that can prevent this form of tracking, and have disclosed our findings to browser vendors who are currently exploring appropriate mitigation strategies.”