Researchers warn against tracking via favicons in cached browsers

Researchers at the University of Chicago warn of a method of tracking users on the Internet using favicons. These are icons that domains provide to make them easily identifiable in the interface.

The researchers claim that a malicious domain stores a specific combination of favicons on a user’s machine and tracks them. The favicons are stored in a cache in several popular browsers that is not emptied or sidelined in private browsing. This allows a domain to track a specific user, even if they block cookies, thwart private browsing, and other fingerprinting techniques. Browsers report the presence of a relevant cached favicon to the website they are visiting in order to save bandwidth.

A rogue website puts a certain combination of favicons on a target’s system, which makes them recognizable on a repeat visit. The greater the amount of visitors a website has, the more different favicons and redirects along subdomains with favicons are needed. However, even with a website that has to track nearly 4.3 billion unique browsers, 32 redirects are enough. According to a calculation example of the researchers, this can be done in two seconds.

The researchers have notified the makers of the affected browsers. Those are Chrome, Safari, and Edge. Google says it is already working on a fix, Apple says it is looking at the findings of the investigation and Microsoft was not available on time, according to Ars Technica. The Brave Browser was also susceptible, but the makers of that browser fixed the vulnerability. Firefox actually belongs in the list of affected browsers, but due to a bug the exploit does not work with that browser. As a workaround, users could disable favicons, although one should make sure that they are not actually saved and not just not shown in the interface.