Favicons May be Used to Track Users

An Anonymous Coward writes:

Favicons may be used to track users:[*]

The research paper Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers highlights that favicons may be used in conjunction with fingerprinting techniques to track users.

Favicons are used by site to display a small site icon, e.g. in the address bar of browsers that support it but also elsewhere, e.g. in the bookmarks or tabs. Favicons are cached by the browser, but are stored independently from other cached items such as HTML files or site images.

[...] In other words: favicons persist over browsing sessions even if the user clears the cache, and they are accessible even in private browsing or Incognito mode sessions.

A single favicon is not enough to identify users based on it, but the researchers discovered a way to plant multiple favicons in the favicon cache. The site does a series of redirects through several subdomains to save multiple different favicons in the cache. Each saved favicon creates its own entry in the cache, and all of them together can be used to identify users provided that enough favicons are saved using the methodology.

[...] The researchers tested the attack against the Chromium-based browsers Google Chrome, Brave, Safari and Microsoft Edge, and found them all vulnerable to the attack. They did try the attack on Firefox but found a bug that prevented the browser from reading cached favicon entries. Once fixed, Firefox would likely be vulnerable to the attack as well.

Journal Reference:
Konstantinos Solomos, John Kristoff, Chris Kanich, Jason Polakis. Tales of FAVICONS and Caches: Persistent Tracking in Modern Browsers [FREE]. Network and Distributed Systems Security (NDSS) Symposium 202121-24 February 2020, San Diego, CA (DOI: https://dx.doi.org/10.14722/ndss.2021.24202)

[*] archived copy.

Original Submission

Read more of this story at SoylentNews.