Favicons may be used to track users
Security researchers of the University of Illinois at Chicago have discovered a new method to track Internet users that is persistent across sessions, even if users clear cookies and the browsing cache.
The research paper Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers highlights that favicons may be used in conjunction with fingerprinting techniques to track users.
Favicons are used by site to display a small site icon, e.g. in the address bar of browsers that support it but also elsewhere, e.g. in the bookmarks or tabs. Favicons are cached by the browser, but are stored independently from other cached items such as HTML files or site images.
Users who use built-in functionality to clear the cache will have these cached files removed from storage but not favicons. In other words: favicons persist over browsing sessions even if the user clears the cache, and they are accessible even in private browsing or Incognito mode sessions.
Browsers detect and cache favicons of sites automatically, and sites may use a single line of code to specify their favicon.
A single favicon is not enough to identify users based on it, but the researchers discovered a way to plant multiple favicons in the favicon cache. The site does a series of redirects through several subdomains to save multiple different favicons in the cache. Each saved favicon creates its own entry in the cache, and all of them together can be used to identify users provided that enough favicons are saved using the methodology.
Redirects happen without any user interaction as everything is controlled by the site in question.
The researchers tested the attack against the Chromium-based browsers Google Chrome, Brave, Safari and Microsoft Edge, and found them all vulnerable to the attack. They did try the attack on Firefox but found a bug that prevented the browser from reading cached favicon entries. Once fixed, Firefox would likely be vulnerable to the attack as well.
The attack takes a bit of time according to the research paper, but it should be possible to improve the performance with optimizations.
We find that combining our favicon based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds.
The researchers suggest several mitigation and counter-measure options, all of which require that browser makers change favicon-related functionality.
Now You: What is your take on this new tracking method?
Android emojis also list last website visited in their metadata. It served some function early in the development of emojis and was still active the last time I had a smart phone to examine, which admittedly was a while ago, but if you have a poke around it’s probably still active. Another simple and easy way to track website history through metadata, so if you are a government that is not already employing this method, get good.
No such thing as a flavicon on my vivaldi browser configured to block trackers, ads and 3rd party cookies
They also make your exported bookmarks.html file huge. Just open your bookmarks.html file with a text editor and see for yourself.
Funny thing that despite of storing favicons in exported bookmrks Firefox does not display them or at least all of them when you import it and require sites to be visited at least once to show their favicon in bookmarks. At least it works like that for me.
Well… considering that most visitors to this website are much more tech savvy than the average person I’m sure that I’m in the minority when I say that I just Don’t Care about the possibility of favicons being used by what is in all likelihood a minuscule number of websites, if any.
I’m already blocking tracking headers, etags, 3rd party cookies. Except for four websites, all cookies and site data get deleted after each session. Not going to get into all the changes I’ve made with about:config in FF. And because I often have a dozen or more tabs open, doing without favicons on the tabs is a downgrade when it comes to “ease of use”.
When using any browser my priorities are security, performance, ease of use and appearance. Sorry, I don’t do ugly!! LoL
I do a lot to prevent tracking but I also don’t expect that it will all be prevented. I’m happy just making it very difficult. I occasionally use a VPN, multiple modified browsers and no social media so I’m doing better than the average sheep. That’s good enough for me. ;)
I use Privazeer to custom delete favicons in Firefox due to this privacy issue. Another quick way is to create a shortcut to your Firefox profile page on the desktop and just delete the favicons file as it will get automatically regenerated the next time Firefox is started. I never knew about the about:config option though!
I guess something has to replace Flash Cookies or whatever they were called. The “bug” in FF, if I remember correctly, is Windows preventing favicons in FF. Not sure if that’s not an urban legend since I can see all the favicons FF saves in their sqlite file. I can make favicons for saved links but favicons don’t matter much to me.
Really, just add this to list of the many ways to track users. If it can be done with one pixel, favicon tracking is comparatively primitive. Many of these tracking methods seem like “Look what I can do!” Are they used? MS clearly does nothing to improve Windows with all the data they collect.
My shield and lock “favicons” are just fine!
:)
People told me I was crazy when I brought this up a few years back :(
Is this relevant?
Firefox is resistant to new favicon-fingerprinting—not because of some superior anti-tracking mechanism, but rather due to a bug.
https://www.reddit.com/r/firefox/comments/l0fjbl/firefox_is_resistant_to_new/
https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf
https://pdfhost.io/v/OWS.b9A4U_solomosndss21pdf.pdf
This doesn’t surprise me in the least. It’s pretty embarrassing how much shit is left behind in supposed ‘private/incognito’ modes, on both Firefox and Chromium based browsers.
I’ve always found favicons completely unnecessary space-consumers anyway. So if you use Firefox and if you happen to share this view, you can do the following, based partly on Martin’s own Ghacks post “How To Remove Favicons In Firefox Bookmarks” from May 11, 2009:
(1) In Firefox about:config, set both “browser.chrome.favicons” and “browser.chrome.site_icons” to “False” and set the value of “browser.chrome.image_icons.max_size” to “0′. Note: in this case there is no real need to also edit and replace your bookmarks file, as was indicated in the mentioned Ghacks post.
(2) For good measure, after closing Firefox, open your Firefox profile folder and delete the favicons cache (the file “favicons.sqlite”). After restarting Firefox, Firefox will recreate a blank “favicons.sqlite” file. Close Firefox once again, and in the profile folder set the properties for this new “favicons.sqlite” file to “Read-only”.
After this, in the bookmarks sidebar and bookmarks toolbar Firefox will show the same generic globe icon for every address, and the tabs will show no favicons at all. No more favicons will be saved.
Thanks Henk.
@Henk, thanks for sharing but no “browser.chrome.favicons” here in Firefox 84+
I think setting “browser.chrome.site_icons†to “false†is enough, followed by the deletion of favicons.sqlite and FF restart.
For those who want a Mr. Clean approach, once above mentioned done :
CTRL+SHIFT+O : show all bookmarks > Import and Backup > Backup…
That backups all bookmarks but not favicons to a .json file
Close Firefox then delete places.sqlite
Open Firefox : no favicons but no bookmarks!
CTRL+SHIFT+O : show all bookmarks > Import and Backup > Restore > Choose file… the .json one you just previously saved. Wait a few seconds and there you go : all your favs free of their favicon.
Even without favicons I do this once in a while because places.sqlite seems to grow faster than what it contains. Cleaning it up resets its content. REMEMBER : this removes ALL favicons : proceed with caution!
> What is your take on this new tracking method?
That it’s old news:
https://stackoverflow.com/questions/16828763/use-favicon-to-track-user-visit-to-a-website
The thread is nearly eight years old as of today. This tracking method has been known for quite some time now, but I don’t see much evidence that it’s actually used anywhere in the wild. A problem browser makers (at least those who care for privacy) have to address. A solution could be to no longer cache the .ico files, instead downloading them and discarding them again on tab close or parent domain change.
Doesn’t seem very hard to resolve. Turning off favicons (like some privacy-enhancing Firefox configurations suggest) strikes me as a rather dumb solution to the problem, because favicons help with identifying tabs / the website associated with the tab. Without them, there would be chaos even with a moderate tab count.
EDIT:
Brave has already fixed that months ago, I was unaware of it:
https://github.com/brave/brave-core/pull/6435
The best browser strikes again, and fights this tracking method by default.
This isn’t new, it’s been known for years. In fact, their sources go back to at least 2014.
Firefox: about:config
browser.chrome.site_icons = false
No loading of favicons anymore.
Couldn’t the website detect that ‘your that guy who fiddled with his favicon browser settings’
nah. the browser would just *not* fetch a favicon. so, I don’t think so. but again, you can’t put it past them to check if there is both a webpage and favicon request and log ip’s that did not request for a favicon.
True. I heard of this favicon treason years ago and ever since I’ve disabled all favicons in Firefox :
// disable favicons in shortcuts
pref(“browser.shell.shortcutFavicons”, false);
// disable favicons in history and bookmarks
pref(“browser.chrome.site_icons”, false);
// disable favicons in web notifications
pref(“alerts.showFavicons”, false); // Default=false
Their absence doesn’t bother me at all, even if I recall that in the beginning I felt slightly disoriented, a normal reaction to a loss of points of reference. Besides, most favicons are so dull, badly crafted that they become hardly recognizable.
Correlated to this favicon issue though apart : extensions dealing with sites which retrieve their favicon, mostly via Google [http://www.google.com/s2/favicons?domain=] is another call to BigG. Some extensions offer to avoid favicon retrieval (i.e. Flagfox, ‘Bookmark search plus 2’), others don’t (i.e. OpenSwitchMaps).
Generally speaking : they won’t miss one opportunity, will they? Those [auto-censored] tracking companies must spend an extraordinary amount of time and brain to figure out where the heck they could find a new way, method to get their data likes mosquitos our blood.
Nice, but how do I get rid of the bookmark favicons already saved on my system?
For mozilla – delete favicons.sqlite from your profile
So the question becomes, how do we block the setting / reading of favicons in browsers?
I know there are methods in Mozilla Firefox and its variants (not that I remember them right now), but what of Google Chrome, Chromium and co?
Sneaky.
Looks like this had been speculated about for a while
https://stackoverflow.com/questions/16828763/use-favicon-to-track-user-visit-to-a-website
TL;DR:
I read in this answer to “How website can track users even after clearing browser cookies” that a user can be tracked via the website favicon:
Favicons are a third possibility–which most browsers request before the page is loaded, so if that request is satisfied, then the client is obviously a repeat visitor.
https://bugzilla.mozilla.org/show_bug.cgi?id=1618257#c7