Demo



Site favicon - a small 16 * 16 or 32 * 32 pixel .ico icon on a browser tab. Helps you navigate hundreds of tabs. Twitter has a blue bird, Gmail has a red mail symbol, Wikipedia has a bold W.



But it turns out that these icons represent a vulnerability through which you can perform fingerprinting - to identify the user even through VPN and incognito mode in the browser (see demo ).



German programmer Jonas Strehle in the Github repository describes a method for installing a non-removable super cookie through favicons: “Super cookies assign unique IDs to site visitors through favicons. Unlike traditional tracking methods, this ID is retained almost forever and cannot be removed by the user using simple methods. The tracking method works even in incognito mode. Super Cookies are not deleted when you clear your cache, close your browser or restart your system, use a VPN or ad blockers. ”

How fingerprinting works

To display the icon, the following attribute is inserted into the page code:

<link rel="icon" href="/favicon.ico" type="image/x-icon">
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

Favicons should be very easily accessible through a browser. Therefore, they are cached in a separate local database, the so-called favicon cache (F-Cache), where the URL, favicon ID and lifetime are stored.



When a user visits the site, the browser checks the local F-Cache for an entry containing the URL of the active website. If the entry is found, the icon is loaded from the cache. If there is no entry, the browser sends a GET request to download the favicon from the server.



This mechanism allows the server to learn a lot about the visitor. By combining the status of delivered and failed favicons for specific URLs, the client is assigned a unique template (identification number). Then the ID is saved:

const N = 4;
const ROUTES = ["/a", "/b", "/c", "/d"];
const ID = generateNewID(); // -> 1010 • (select unassigned decimal number, here ten: 10 -> 1010b in binary)
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

const vector = generateVectorFromID(ID); // -> ["/a", "/c"] • (because [a, b, c, d] where [1, 0, 1, 0] is 1 -> a, c)
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

After reloading the site, this ID can be restored from the list of network requests sent by the client for the missing favicons - and thus identify the browser.

const visitedRoutes = [];
Webserver.onvisit = (route) => visitedRoutes.push(route);  // -> ["/b", "/d"]
Webserver.ondone = () => { const ID = getIDFromVector(visitedRoutes) }; // -> 10 • (because "/a" and "/b" are missing -> 1010b)
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

The author launched a website to demonstrate fingerprinting using favicons. The source code and a detailed description of the mechanism have been published .



The worst part about this vulnerability is how easy it is to bypass traditional methods that people use to protect their privacy. Fingerprinting breaks through the "private" mode of Chrome, Safari, Edge and Firefox, Strehle said. Cache cleaning, VPN or ad blocker - nothing gets in the way of malicious favicons.



The same conclusions were reached by researchers from the University of Illinois in the recently published scientific paper "Tales of Favicons and Caches: Persistent Tracking in Modern Browsers""We found that combining our favicon tracking technique with fingerprinting via immutable browser attributes allows the site to recover a 32-bit tracking ID in two seconds," the study said. - Due to the severity of the vulnerability, we suggest making changes to browser caching of favicons to prevent this form of tracking. We have shared our findings with browser vendor developers who are currently exploring mitigation options. ”



Fingerprinting via favicons currently works in all major browsers, including mobile ones (plus sign):





The following table shows the minimum time required to carry out an attack. The actual figure also depends on additional factors such as internet connection speed, location, hardware performance and browser type.