A number of countermeasures have been developed over the years to mitigate tracking of internet users by the sites they visit. These include the use of Privacy Badger, clearing cookies, or an anti-tracking extension that enables private or incognito web surfing. However, sites now have a new way to counter all three of them.
The technique makes use of favicons, the tiny icons shown by sites in users' bookmark lists and browser tabs. Researchers from the University of Illinois in Chicago said in new research that the majority of browsers store the pictures in a place that is separate from those used to store cookies, site data and browsing history.
By loading favicons on visitors’ browsers that uniquely identify them over an extended period of time, websites can abuse this arrangement. "Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding, our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users," the researchers wrote.
The action can be implemented easily by any website, without the need for user consent or interaction, and works even when the browser has popular anti-tracking extensions. Making matters worse, the caching behavior of modern browsers provides an advantage for this type of attack. Due to improper isolation practices in all the major browsers, the favicon cache is used even when browsing in incognito mode, according to the researchers.
Chrome, Safari, and Edge are vulnerable to the attack, and until recently, so was Brave, which developed effective countermeasures after receiving a report from the researchers. Firefox would also be susceptible to the attack if not for a bug that currently prevents the technique from working.