As Apple prepares to release its anti-tracking update for iOS, Facebook and other companies that have built their businesses by invading users’ privacy are concerned about the future. But there is always a new vulnerability waiting to be discovered. For example, researchers now claim that a website’s favicon can be used to sneak users in a difficult way to get rid of.
Favicons are that little icon that appears in the corner of a browser tab when you open a website. In Gizmodo, you should see a “G” logo on the tab above. German software designer Jonas Strehle published a proof of concept on GitHub that, he said, demonstrates a method in which the favicon cache can be used to store a unique identifier for a user that can be read “in incognito browser mode and it is not cleared by downloading the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers. ”
As Motherboard points out, Strehle started building the project after reading a research article from the University of Illinois at Chicago that describes the technique. The essence of the method starts with the fact that favicon is cached in your browser the first time you visit a website. When you return to the website, the browser checks whether the favicon has been stored on its own special home page on your machine, called the F-Cache. If the data is out of date or missing, the browser requests data from the website’s servers. Strehle explained what happens next in an article on his website:
A web server can draw conclusions about whether a browser has already loaded a favicon or not:
So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent.
By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client.
When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.
In short, the favicon is an innocuous little bugger that can become what Strehle calls a “supercookie”, making it very difficult for a user to avoid being tracked by a website.
Researchers at the University of Illinois at Chicago said the tracking method works on all major browsers and, due to the severity of the threat, they proposed “changes in browsers’ favicon cache behavior that can prevent this form of tracking, and disclosed our discoveries for browser vendors who are exploring appropriate mitigation strategies. “