New browser-tracking hack works even when you flush caches or go incognito

New browser-tracking hack works even when you flush caches or go incognito

Getty Images

reader comments

39 with 34 posters participating, including story author

The prospect of Web users being tracked by the sites they visit has prompted several countermeasures over the years, including using Privacy Badger or an alternate anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now, websites have a new way to defeat all three.

The technique leverages the use of favicons, the tiny icons that websites display in users’ browser tabs and bookmark lists. Researchers from the University of Illinois, Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies. Websites can abuse this arrangement by loading a series of favicons on visitors’ browsers that uniquely identify them over an extended period of time.

Powerful tracking vector

“Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding, our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users,” the researchers wrote. They continued:

The attack workflow can be easily implemented by any website, without the need for user interaction or consent, and works even when popular anti-tracking extensions are deployed. To make matters worse, the idiosyncratic caching behavior of modern browsers, lends a particularly egregious property to our attack as resources in the favicon cache are used even when browsing in incognito mode due to improper isolation practices in all major browsers.

The attack works against Chrome, Safari, Edge, and until recently Brave, which developed an effective countermeasure after receiving a private report from the researchers. Firefox would also be susceptible to the technique, but a bug prevents the attack from working at the moment.

employed the technique. Device fingerprinting can work even when people use multiple browsers. In response, some browsers have attempted to curb the tracking by blocking fingerprinting scripts.

Two seconds is all it takes

Websites can exploit the new favicon side channel by sending visitors through a series of subdomains—each with its own favicon—before delivering them to the page they requested. The number of redirections required varies depending on the number of unique visitors a site has. To be able to track 4.5 billion unique browsers, a website would need 32 redirections, since each redirection translates to 1 bit of entropy. That would add about 2 seconds to the time it takes for the final page to load. With tweaks, websites can reduce the delay.

NDSS Symposium.

A Google spokesman said the company is aware of the research and is working on a fix. An Apple representative, meanwhile, said the company is looking into the findings. Ars also contacted Microsoft and Brave, and neither had an immediate comment for this post. As noted above, the researchers said Brave has introduced a countermeasure that prevents the technique from being effective, and other browser makers said they were working on fixes.

Until fixes are available, people who want to protect themselves should investigate the effectiveness of disabling the use of favicons. Searches here, here, and here list steps for Chrome, Safari, and Edge respectively.

Article Categories: