New Browser-Tracking Hack Works Even When You Flush Caches or Go Incognito

The prospect of Web users being tracked by the sites they visit has prompted several countermeasures over the years, including using Privacy Badger or an alternate anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now, websites have a new way to defeat all three.

The technique leverages the use of favicons, the tiny icons that websites display in users’ browser tabs and bookmark lists. Researchers from the University of Illinois, Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies. Websites can abuse this arrangement by loading a series of favicons on visitors’ browsers that uniquely identify them over an extended period of time.

Powerful tracking vector

“Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding, our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users,” the researchers wrote. They continued:

The attack workflow can be easily implemented by any website, without the need for user interaction or consent, and works even when popular anti-tracking extensions are deployed. To make matters worse, the idiosyncratic caching behavior of modern browsers, lends a particularly egregious property to our attack as resources in the favicon cache are used even when browsing in incognito mode due to improper isolation practices in all major browsers.

The attack works against Chrome, Safari, Edge, and until recently Brave, which developed an effective countermeasure after receiving a private report from the researchers. Firefox would also be susceptible to the technique, but a bug prevents the attack from working at the moment.

Favicons provide users with a small icon that can be unique for each domain or subdomain on the Internet. Websites use them to help users more easily identify the pages that are currently open in browser tabs or are stored in lists of bookmarks.

Browsers save the icons in a cache so they don’t have to request them over and over. This cache isn’t emptied when users clear their browser cache or cookies, or when they switch to a private browsing mode. A website can exploit this behavior by storing a specific combination of favicons when users first visit it, and then checking for those images when users revisit the site, thus allowing the website to identify the browser even when users have taken active measures to prevent tracking.

Browser tracking has been a concern since the advent of the World Wide Web in the 1990s. Once it became easy for users to clear browser cookies, websites devised other ways to identify visitors’ browsers. Read Full Article >