Web Tracking Using Favicon
Ever heard of using the Favicon icon for tracking the user
We all know websites love tracking their users for data and patterns so that they can predict us better, better than our own family and friends. As an honest customer, we love installing browsers, extensions, VPNs, clearing the cache. We succeed to some extent in doing that, but these multi-dollar companies find alternative ways to track the user, and we found the new vulnerability, which uses the simple favicon icon, and yes, you heard it right the small icon beside the title of the page is being used for tracking. The researchers from the University of Illinois at Chicago found the vulnerability, which can not be defeated by clearing cookies, using VPNs, or incognito. By using this method, they can uniquely identify the devices using the services.
How does it work?
Device fingerprinting or identification works by using the screen size, add-on installed, and language preference, by making use of them, we can uniquely identify the device. The unique identifier, in this case, is done by simply exploiting the basic web browser behavior: each time a web browser loads as a website, it automatically issues a server request to find the favicon and download it to its cache. But instead of just responding with a single favicon. The tracking server redirects the web browser through a series of sub-domains. Each sub-domain can have its unique favicon. These sub-domains are now used to create their unique tracking ID by issuing a favicon on some redirects. The browser downloads the assigned favicon to its cache. Assuming the combination of redirecting sub-domains and favicons is different for each visitor to the tracking website, each browser gets assigned a unique id using the unique set of favicons saved in its cache. When a website notices a returning visitor, they get redirected to all the sub-domains to see which favicons the web browser has to download and which are already cached. Now the visitor can be identified by the favicons they didn’t download.
The number of redirecting sub-domains needed for tracking depends on the number of visitors a website has. Each redirection adds 1 bit of information to the identifier, so 32 bits will allow a website to fingerprint 4.3 billion browsers. Reconstructing a 32 bits identifier would take about 2 seconds according to the researchers. Only a handful of popular websites load within 5 seconds, so most users probably wouldn’t notice the extra delay, anyway. The redirecting can happen at the initial page loading, or it may hide them in animation through the JavaScript behind the frontend, or some dialog box with information will be given so that the web can get extra time for finding the unique id.
Can we prevent this?
We cannot stop this type of fingerprinting method by clearing the history or the cache because the web browser stores the favicons in a special cache which is called f-cache, which is usually never deleted, and all the browsers were affected except the Mozilla Firefox. The Firefox browsers never properly used the favicon cache. It always downloaded the image of whether it is in a cache. After they have published the paper, the brave browser has made changes, and now brave automatically clears the favicon cache. The chrome and safari team are still working on the issue, while the Microsoft Edge team considers it a non-Microsoft issue that stems from the underlying Chromium engine. Until they do not fix the issues users can download extensions.
Conclusion
Although the researchers didn’t find any company exploiting this for their benefit, they can use it in the future for their benefit, so to browse safely always check the default checked options and the modes to hide data and to stop from sharing.
