Favicons are one of those things that basically every website uses but no one thinks about. When you’ve got 100 tabs open, the little icon at the start of every browser tab provides a logo for the window you’ve opened. Twitter uses the little blue bird, Gmail is a red mail icon, and Wikipedia is the bold W. It’s a convenient shorthand that lets us all navigate our impossible tab situation.
According to a researcher, though, these icons can also be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online.
The tracking method is called a Supercookie, and it’s the work of German software designer Jonas Strehle.
“Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user,” Strehle said on his Github. “The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers.
Strehle’s Github explained that he became interested in the idea of using favicons to track users after reading a research paper on the topic from the University of Illinois at Chicago.
“The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries,” the paper explained. “In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons.”
To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild. Strehle’s supercookie program (which uses a Cookie Monster favicon) is a proof of the concept described by the university researchers.
“The favicons must be made very easily accessible by the browser. Therefore, they are cached in a separate local database on the system, called the favicon cache (F-Cache),” Strehle’s site said.
The F-Cache entries include a wealth of data about where a user has been, all in service of delivering a quick little icon to your browsing window.
“When a user visits a website, the browser checks if a favicon is needed by looking up the source of the shortcut icon link reference of the requested webpage,” Strehle said. “The browser initially checks the local F-cache for an entry containing the URL of the active website. If a favicon entry exists, the icon will be loaded from the cache and then displayed. However, if there is no entry, for example because no favicon has ever been loaded under this particular domain, or the data in the cache is out of date, the browser makes a GET request to the server to load the site's favicon.”
This data allows a web server to figure out quite a bit about its visitor. “By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client,” Strehle said. “When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.”
Strehle has set up a website that demonstrates how easy it is to track a user online using a favicon. He said it’s for research purposes, has released his source code online, and detailed a lengthy explanation of how supercookies work on his website.
The scariest part of the favicon vulnerability is how easily it bypasses traditional methods people use to keep themselves private online. According to Strehle, the supercookie bypasses the “private” mode of Chrome, Safari, Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an ad-blocker won’t stop a malicious favicon from tracking you.
The researchers at the University of Illinois came to similar conclusions. “We find that combining our favicon-based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds,” they said. “Due to the severity of our attack we propose changes to browsers’ favicon caching behavior that can prevent this form of tracking, and have disclosed our findings to browser vendors who are currently exploring appropriate mitigation strategies.”