With a few tricks, website favicons can be converted into a kind of cookie replacement. A study by the University of Illinois in Chicago shows that modern browsers are not yet prepared for such an attack.
Mini logos for a better overview
Favicons seem harmless at first glance. If you are looking for a particular website between dozens of different browser tabs or in a long list of bookmarks, the website owner’s tiny logos offer a visual aid to quickly find the desired page. Favicons are popular with both users and webmasters: According to a study by the University of Illinois researchers 94 percent of the most popular websites use favicons to give their readers better orientation.
But with the upcoming end of third-party cookies, browser fingerprinting is becoming more explosive again, as users can be recognized unnoticed based on their browser characteristics. In the study, three researchers identified the favicons as an easy way to uniquely identify users.
Trick: Different icons on subdomains
Favicons had already been noticed in the past as a possible target of attack on users’ private data. So you can use the favicons stored in the browser cache to see which websites a user has accessed. The sometimes long lifespan of the favicons in the cache sometimes reveals data that was suspected to have been deleted for a long time.
The newly introduced tracking method also makes use of the browser cache. The servers cannot see the browser memory. But it is possible to draw conclusions from whether or not a favicon is accessed. If such a logo is already in the browser memory, it is usually not retrieved from the browser again.
Lots of favicons, unique identification
In order to transform the favicons into a kind of “super-cookie”, a trick is required: From the loading or not loading of a single favicon one cannot draw any conclusions that enable the identification of a user. However, the researchers found that when they visited a website they were able to store a large number of favicons in the browser cache by integrating redirects to subdomains. In order to identify users when they visit again, the server muted itself and waited for the browser to query which favicons.
This simple method was remarkably effective. Not only was it possible to identify users of Chrome, Safari and Edge, the privacy-friendly browser Brave also betrayed its users. Even more: anti-tracking measures, incognito mode, the targeted deletion of the browser history or the use of a VPN brought no improvement. Firefox users turned out to be unidentifiable in the practical test – but not because of a superior anti-tracking technology, but because the browser cache was not used at all due to a bug, contrary to the developer documentation.
The accuracy of the identification can be increased at will, but an attacker needs time for this. With a desktop browser, it was possible to load a twelve-bit ID into the browser cache in an average of just one second; reading it out took twice as long. With mobile browsers, the time required is doubled again. According to the researchers, it took about four seconds for a clear identification. However, this value can be reduced by combining favicon tracking with other fingerprinting techniques.
To prevent this attack, the researchers recommend that browser manufacturers make some improvements. In Incognito mode you should no longer route favicons to the browser cache. Another method would be to link the storage of the favicon to the storage of cookies: If cookies are set, fingerprinting techniques are unnecessary. Preventing automatic redirects within a website call could also help. In the past, browser manufacturers repeatedly prevented access to browser data in order to prevent the hidden identification of users.