Hiding digital footprints and protecting your information from hackers has become a challenge these days, and now there is a new trick up their sleeve that could be used to track you across the internet. Software designer Jonas Strehle has discovered that browser favicons could be the new means to track users online and collect information, including credit card number, name, address, and phone number.
What makes this dangerous is that it can bypass commonly deployed security measures on the internet, such as VPNs, incognito tabs, deleting browser/website cache, etc. Here’s what we know about this new security flaw that could be exploited by hackers to gather information about you.
What are favicons?
Pronounced as fave-icons, these are small icons that represent the branding of a website. For example, Wikipedia has “W” as its favicon, Youtube has its logo as its favicon, and we have our logo as Fossbytes’ favicon. The main purpose of a favicon is to serve as a visual marker and help users navigate to the desired tab when multiple tabs are open.
How can hackers use favicons to track you on internet?
According to Strehle, the method to spy on users online is called a Supercookie. A Supercookie is a cookie type that could be inserted into an HTTP header in most popular browsers to gather information about user’s online movement.
To make it easy for browsers to access the favicons, they are stored in a separate local database on the system, called the favicon cache (F-Cache). This F-cache also stores other information about users, including the websites visited by the user (subdomain, domain, route, URL parameter), the favicon ID, and the time to live (TTL).
When a user visits a URL, the browser checks the F-cache to get the favicon. In case the favicon is not available there, the browser makes a GET request to load the site’s favicon. This request allows the webserver to gather additional information about the user and assign a unique identification number.
“So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client,” writes Strehle on Github.
Strehle says that all top browsers including Chrome, Firefox, Safari, and Edge are vulnerable to the Supercookie attack. In fact, mobile browsers could be also be targeted under this threat model.
He has written in detail about how this attack works on his own website. It is important to know that this is a proof-of-concept and not a vulnerability spotted in the wild by Strehle. He started learning more about it after reading a research paper titled “Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers”.(Unfortunately, the link to the research paper wasn’t working at the time of writing)
How to protect yourself from favicon supercookie attack?
Sadly, there is no method available to avoid this attack right now. Strehle mentions that the only possible way to evade this attack is to deploy changes to browsers’ favicon caching behavior, and only browser vendors can do this. He has shared the details of the threat model with the popular browser vendors.