With a few tricks, website favicons can be converted into a kind of cookie replacement. A study by the University of Illinois in Chicago shows: Modern browsers are not yet prepared for such an attack.

Mini-Logos for a better overview Favicons seem harmless at first glance. If you are looking for a particular website between dozens of different browser tabs or in a long list of bookmarks, the website owner’s tiny logos offer a visual aid to quickly find the desired page. Favicons are popular with both users and webmasters: According to a study by researchers at the University of Illinois 94 percent of the most popular websites use favicons to help their readers orientate themselves better

But with the pending end of the third-party cookies, browser fingerprinting becomes more explosive again, in which the user goes unnoticed based on their browser Features can be recognized. In the study, three researchers identified the favicons as an easy way to clearly identify users.

Trick: Different icons on subdomains Favicons were already noticed in the past as a possible target of attack on users’ private data. So you can use the favicons stored in the browser cache to see which websites a user has accessed. The sometimes long lifespan of the favicons in the cache sometimes reveals data that were suspected to have been deleted for a long time.

The newly introduced tracking method also makes use of the browser cache. The servers cannot see the browser memory. But it is possible to draw conclusions from whether or not a favicon is accessed. If such a logo is already in the browser memory, it is usually not called up again from the browser.

Many favicons, unique identification In order to transform the favicons into a kind of “super-cookie”, a trick is required: From the loading or not loading of an individual favicon one cannot draw any conclusions that enable the identification of a user . However, the researchers found that when they visited a website they were able to store a large number of favicons in the browser cache by integrating redirects to subdomains. In order to identify users when they visit again, the server silenced itself and waited to see which favicons the browser asked for.

This simple method was remarkably effective. Not only was it possible to identify users of Chrome, Safari and Edge, the privacy-friendly browser Brave also betrayed its users. Even more: anti-tracking measures, incognito mode, the targeted deletion of the browser history or the use of a VPN brought no improvement. Firefox users turned out to be unidentifiable in the practical test – but not because of a superior anti-tracking technology, but because the browser cache was not used at all due to a bug, contrary to the developer documentation.

Efficient method The accuracy of the identification can be increased at will, an attacker but this takes time. With a desktop browser, it was possible to load a twelve-bit ID into the browser cache in an average of just one second; reading it out took twice as long. With mobile browsers, the time required is doubled again. According to the researchers, it took about four seconds for a clear identification. However, this value can be reduced by combining favicon tracking with other fingerprinting techniques.

In order to prevent this attack, the researchers recommend that browser manufacturers make some improvements. In Incognito mode you should no longer route favicons to the browser cache. Another method would be to link the storage of the favicon to the storage of cookies: If cookies are set, fingerprinting techniques are unnecessary. Preventing automatic redirects within a website call could also help. In the past, browser manufacturers have repeatedly prevented access to browser data in order to prevent the hidden identification of users.

( olb)