The prospect of web users being tracked by the sites they visit has led to several countermeasures over the years, including using Privacy Badger or an alternative anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now websites have a new way to beat all three.
The technique uses favicons, the small icons that websites display in users’ browser tabs and bookmark lists. Researchers from the University of Illinois, Chicago, said in a new paper that most browsers cache the images in a different location than the ones used to store site data, browsing history and cookies. Websites can take advantage of this arrangement by loading a series of favicons in visitors’ browsers that uniquely identify them over an extended period of time.
Powerful Tracking Vector
“While favicons have long been considered a simple decorative resource supported by browsers to facilitate website branding, our research shows that they introduce a powerful tracking vector that poses a significant threat to user privacy,” the researchers wrote. . They continued:
The attack workflow can be easily implemented by any website, without the need for user interaction or permission, and works even when popular anti-tracking extensions are used. To make matters worse, the peculiar caching behavior of modern browsers lends a particularly egregious feature to our attack, as resources in the favicon cache are used even when browsing in incognito mode due to improper isolation practices in all major browsers.
The attack works against Chrome, Safari, Edge and until recently Brave, which developed an effective countermeasure after receiving a private report from the researchers. Firefox is also said to be sensitive to the technique, but a bug prevents the attack from working at the moment.
Favicons provide users with a small icon that can be unique to each domain or subdomain on the Internet. Websites use them to help users more easily identify the pages currently open in browser tabs or stored in bookmarked lists.
Browsers cache the icons so that they don’t have to request them again and again. This cache is not cleared when users clear their browser cache or cookies, or when they switch to a private browsing mode. A website can exploit this behavior by storing a specific combination of favicons when users first visit them, then checking for those images when users visit the site again, allowing the website to identify the browser even when users have taken active measures to prevent tracking.
Browser tracking has been a concern since the advent of the World Wide Web in the 1990s. When it became easy for users to clear browser cookies, websites came up with other ways to identify visitors’ browsers.
One such method is known as device fingerprinting, a process that collects the screen size, list of available fonts, software versions, and other properties of the visitor’s computer to create a profile that is often unique to that machine. A 2013 survey found that 1.5 percent of the world’s most popular sites adopt the technology. Device fingerprints can work even if people use multiple browsers. In response, some browsers have attempted to curb tracking by blocking fingerprint scripts.
Two seconds is all it takes
Websites can exploit the new favicon side channel by sending visitors through a series of subdomains — each with its own favicon — before being delivered to the page they requested. The number of redirects required depends on the number of unique visitors a site has. To track 4.5 billion unique browsers, a website would need 32 redirects, as each redirect translates to 1 bit of entropy. That would add about 2 seconds to the time it takes to load the last page. Tweaks allow websites to reduce lag.
The newspaper explains it this way:
Taking advantage of all these properties, we demonstrate a new persistent tracking mechanism that allows websites to re-identify users during visits, even if they are in incognito mode or have cleared client-side browser data. Specifically, websites can create and store a unique browser ID through a unique combination of items in the favicon cache. To be more precise, this tracking can be easily performed by any website by redirecting the user accordingly through a series of subdomains. These subdomains serve different favicons and thus create their own items in the Favicon Cache. Accordingly, a set of N subdomains can be used to create an N-bit identifier, which is unique to each browser. Since the attacker controls the website, they can force the browser to visit subdomains without user intervention. In essence, the presence of the cached subdomain favicon corresponds to a value of 1 for the ith bit of the identifier, while its absence indicates a value of 0.
The researchers behind the findings are: Konstantinos Solomos, John Kristoff, Chris Kanich and Jason Polakis, all of the University of Illinois, Chicago. They will present their research at the NDSS Symposium next week.
A Google spokesperson said the company is aware of the investigation and is working on a solution. An Apple representative, meanwhile, said the company is investigating the findings. Ars also contacted Microsoft and Brave, neither of whom directly commented on this message. As mentioned above, the researchers said Brave has introduced a countermeasure that prevents the technique from being effective, and other browser makers said they were working on fixes.
Until fixes are available, people who want to protect themselves should investigate the effectiveness of disabling the use of favicons. Searches here, here, and here list steps for Chrome, Safari, and Edge, respectively.