New browser history leak through favicon

Recently I came across this pdf study (based on its motives there was already an article on Habré), after reading it, I decided to look for more interesting ways to use F-Cache. Objectively, no one in their right mind will put a scheme with redirects on their website. This is a leak, but a leak of more theoretical interest than practical (IMHO).





Outlined a goal (to find a way to test F-Cache via javascript) and started looking. During the experiments, I identified several ways to do this, but I will describe the most interesting one, in my opinion.





I warn you in advance - this is not a cross-browser solution. At the moment, I've only tested it on desktop chrome.





The preliminary test can be taken here: https://favicon-leak.site/





How it works

Chromium has two types of resource caches: disk and memory. As many have guessed, disk cache is a permanent storage of resources, but with its own read delay (1+ ms). In turn, the memory cache is used for temporary storage of frequently used resources, and reads, on average, are instantaneous (0 ms). Thus, by placing a resource in the memory cache, the browser reduces the number of reads from the disk and increases the speed of reloading the resources themselves.





When we first load an image via <img>, it will either be loaded via src, or taken from the disk cache. In both cases, this picture is most often placed in the memory cache. Consider this javascript code:





var img = new Image();
img.src = some_image_url;
if (img.complete && img.height + img.width > 0) {
	//   TRUE,        memory cache
}
      
      



It is this code that allows you to check the presence of an image in the memory cache. From this, we can draw the following conclusion: if you load <img> at least twice, then the second time the picture should be loaded from the memory cache.





<img> + <img> + <img> + <img>
<img> + <img> + <img> + <img>

The behavior of the <link rel = "icon"> tag is different from <img> and reloading one image always reads it from disk:





<link> + <link> + <link> + <link>
<link> + <link> + <link> + <link>

The key find was this browser behavior:





<img> + <img> + <link> + <img>
<img> + <img> + <link> + <img>

, <link>, disk cache <img> ( memory). , F-Cache. ! <link> F-Cache, , memory cache, . , , F-Cache . ,

<img> + <img> + <link> + <img> <— , , F-Cache .. memory cache. , F-Cache.





, 100%- , .. <link>(, ), setTimeout. timeout, , <link> .





F-Cache

F-Cache , , . F-Cache cache policy -. F-Cache read-only .





https://favicon-leak.site/

Using automated chrome, I put together a small list of favicon links for popular sites. https://favicon-leak.site/ checks icons from this list. Perhaps by the time you read this article some links will be out of date and will return a false negative result.





Code on github








All Articles