Browser Tracking Using Favicons

Interesting research on persistent web tracking using favicons. (For those who don’t know, favicons are those tiny icons that appear in browser tabs next to the page name.)

Abstract: The privacy threats of online tracking have garnered considerable attention in recent years from researchers and practitioners alike. This has resulted in users becoming more privacy-cautious and browser vendors gradually adopting countermeasures to mitigate certain forms of cookie-based and cookie-less tracking. Nonetheless, the complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries. In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons. In more detail, a website can track users across browsing sessions by storing a tracking identifier as a set of entries in the browser’s dedicated favicon cache, where each entry corresponds to a specific subdomain. In subsequent user visits the website can reconstruct the identifier by observing which favicons are requested by the browser while the user is automatically and rapidly redirected through a series of subdomains. More importantly, the caching of favicons in modern browsers exhibits several unique characteristics that render this tracking vector particularly powerful, as it is persistent (not affected by users clearing their browser data), non-destructive (reconstructing the identifier in subsequent visits does not alter the existing combination of cached entries), and even crosses the isolation of the incognito mode. We experimentally evaluate several aspects of our attack, and present a series of optimization techniques that render our attack practical. We find that combining our favicon-based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds. Furthermore,our attack works in all major browsers that use a favicon cache, including Chrome and Safari. Due to the severity of our attack we propose changes to browsers’ favicon caching behavior that can prevent this form of tracking, and have disclosed our findings to browser vendors who are currently exploring appropriate mitigation strategies.

Another researcher has implemented this proof of concept:

Strehle has set up a website that demonstrates how easy it is to track a user online using a favicon. He said it’s for research purposes, has released his source code online, and detailed a lengthy explanation of how supercookies work on his website.

The scariest part of the favicon vulnerability is how easily it bypasses traditional methods people use to keep themselves private online. According to Strehle, the supercookie bypasses the “private” mode of Chrome, Safari, Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an ad-blocker won’t stop a malicious favicon from tracking you.

EDITED TO ADD (3/12): There was an issue about whether this paper was inappropriately disclosed, and it was briefly deleted from the NDSS website. It was later put back with a prefatory note from the NDSS.

Tags: , ,

Posted on February 17, 2021 at 6:05 AM28 Comments

Comments

Daniel Merigoux February 17, 2021 7:25 AM

Hi Bruce and readers,
To correct the root cause, I disabled Favicons in Firefox (debian buster linux version 78.7.0esr (64-bit)):
https://www.carnaghan.com/knowledge-base/how-to-disable-favicons-in-firefox/
Just to be sure, I searched everything in about:config that contained favicon and set it to false:
#alerts.showFavicons false
#browser.newtabpage.activity-stream.feeds.favicon false
#browser.shell.shortcutFavicons false
Browser still works flawlessly 🙂
Regards! Daniel

Gian-Carlo Pascutto February 17, 2021 8:43 AM

Bruce, the link to the paper is dead. The next paragraph might be a reason why.

Daniel, the paper actually said Firefox is NOT vulnerable to the attack. The author tried to get Mozilla to change the behavior of the browser to make it vulnerable (!!), by pretending it was a bug, and thus be able to claim a general attack that works against all browsers. But they failed. See https://bugzilla.mozilla.org/show_bug.cgi?id=1618257#c7

We’re still investigating the claim from the PoC site, because it is contrary to the conclusions in the paper and our own initial tests.

Fed.up February 17, 2021 9:35 AM

Oh but advertisers need to see everything I am doing so YouTube can show me more ads for droopy eyelids or boots that I am wearing.

Everyone wonders why young college grads cannot get a job. This is why.

Solution isn’t wiping out student debt. Solution is stopping this insanity.

Voyeurism is illegal. It is defined as the nonconsenual looking and peeping into the private domain of another person. So why doesn’t the Government just classify this as Voyeurism? Voyeurism is a psycho sexual disorder and those who do this are very strange people that have “interpersonal difficulty”.

I think the American Psychiatric Association needs to update the definition for cyber stalking because that’s what it is. It makes me feel even more vulnerable as when a real person stalked me. Because when a human did it, I was able to make it stop.

True story.
I once walked out FAANG “A” HQ after interviewing for a Privacy Risk job. My phone was powered off. I was in a city I don’t live in. A few minutes after I left the building I receive a unsolicited recruiting email from FAANGish “B” around the corner for the same job although they had no job description. I felt so violated. Both companies disappeared on the same day too.

JonKnowsNothing February 17, 2021 9:40 AM

@All

favicons have rather mysterious behavior both in how they are collected by the browser and stored in bookmarks. Anyone who has wrestled with them has certain found them to be less than manageable. Perhaps it’s by design.

generically but not technical:

  • favicons are picked up the first time you visit a webpage but they may not actually appear on the browser until much later.
  • sites may display an incorrect favicon if the icon gets hijacked because it sits lower on the site tree. eg: a wordpress icon might show instead of a custom blog icon.
  • sites that store bookmarks also have links to favicons and these links are nearly impossible to delete or repair if they are showing the wrong path. Mostly you have to delete the entire file which means the browser will pull the icons for all the items linked in the bookmark file instead of pulling one damaged image
  • it may take some days for a new favicon to replace an older edition. It has something to do with how it floats through the internet and lands on the tab. If you update a site favicon it might not be picked up until it repropagates through the DNS
  • Worse is that whatever the icon is, there is no override for it. If you don’t care for the image or symbol, your only option is to Not Go to that site.

Why is not a surprise that this behavior is WAI and can be used to track folks?

Impossibly Stupid February 17, 2021 11:17 AM

@JonKnowsNothing

favicons have rather mysterious behavior both in how they are collected by the browser and stored in bookmarks

Honestly, isn’t that true of how most of the web works these days? Browsers have become “everything and the kitchen sink” apps, making it inherently difficult to lock down with any level of security/anonymity.

sites may display an incorrect favicon

What is “correct” is fundamentally problematic because the favicon is one of the “assumed” files from the early web. A browser (or other spidering software) might try to pull in the one at the root of the domain, or even along the path of the URL, as you’re typing it in because pre-loading makes the bloated web appear faster. The page itself may then specify its own icon that should be used instead, but that won’t happen until after it loads. Some browsers (I’m looking at you, Apple) are set up to automatically request other images in the background, too.

Anybody who runs a web server will frequently see errors in their logs if they aren’t serving up all kinds of files. The latest annoyance I’ve noticed is ads.txt. It is no surprise, then, that anyone with an interest in tracking visitors can take advantage of these behaviors to identify the who behind the what.

If you don’t care for the image or symbol, your only option is to Not Go to that site.

Again, that’s just de rigueur of the modern web. CSS was supposed to separate content from presentation, but how many sites or browsers really make extensive style tweaking easy? Add in the JavaScript layer, and you’re on the road to make it practically impossible for the visitor to come to your site and use it without being invasively interrogated.

xcv February 17, 2021 11:39 AM

@ O.P.

Some older browsers fetch, e.g., http[s]://www.example.com/favicon.ico to display on your browser tabs or bookmarks to identify the websites you frequent.

I didn’t realize there’s a whole set of favicons, and different “standards” for which ones are used by which browsers for which purposes. Design your own.

Favicons might be cached in your bookmark folder and not refetched unless needed, but it doesn’t seem clear to me from the research how tracking from favicons is any worse than tracking other images viewed or downloaded online.

@Fed.up

Solution isn’t wiping out student debt. Solution is stopping this insanity.

The “solution” to stop insanity is to incarcerate, restrain, drug, and torture lunatics, crazies, madmen, deranged, distraught, and mentally ill persons in psychiatric wards, mental hospitals, and insane asylums. Strong civil commitment and gun control laws are vital for this purpose. This is the way it’s been done since the Middle Ages, Bethlem Royal Hospital in London. This is how insanity is stopped. There’s a “serenity prayer” and these are things that will never change, no matter what, as long as Democrats are in control of America’s pro-abortion medical care and mental health legal systems.

While we must accept and continue to suffer with the brutality and torture inflicted on us by dishonest doctors and crooked shrinks in this life, we can still pray for God’s vengeance that is sure to be executed upon them in the day of judgment.

Voyeurism is illegal. It is defined as the nonconsenual looking and peeping into the private domain of another person. So why doesn’t the Government just classify this as Voyeurism? Voyeurism is a psycho sexual disorder and those who do this are very strange people that have “interpersonal difficulty”.

Sure it is. The boy peeking up the girl’s skirt in the playground at school.

Essentially, someone is looking at something or viewing something, presumably on a computer screen, but quite possible as a photo developed or printed out on paper. You can add the “-ism” suffix to it and call it a crime, but the problem remains that you are prosecuting hard crime on soft science, where there is no longer any hope of proof beyond a reasonable doubt of the three indispensable elements of crime:

  • mens rea
  • actus reus
  • noxa rea

I think the American Psychiatric Association needs to update the definition for cyber stalking because that’s what it is. It makes me feel even more vulnerable as when a real person stalked me. Because when a human did it, I was able to make it stop.

The cops and doctors on strike with labor union who commit crimes of voyeurism and cyberstalking are so detached from the harm they cause by their wicked acts, that they are, essentially, inhuman monsters. Furthermore, the APA is part of the problem, not the solution.

lurker February 17, 2021 11:40 AM

When favicons first appeared (maybe it was Al Gore who invented them?) I couldn’t see the point. They convey no new or extra information. Then when I examined some page code and saw back then they were being used as a form of cookie, they got added to my session logout browser purge.

It’s a war out there. The site coders looked for better places to hide their “gifts” and some popular browser makers helped them. I got tired of continually updating my purge script and ended up using a browser that appears to keep no crud when the session is closed.

Clive Robinson February 17, 2021 12:04 PM

@ lurker,

It’s a war out there. The site coders looked for better places to hide their “gifts”

Quite literally… Some years ago a well known store used such “crud” to see how often you visited a “product page”. If you kept visiting the page but not others the algorithm concluded you were interested in the product, but had not made up your mind to buy. So it would give you a “discount code”. The discount would slowly build up…

The problem as you can guess is that in effect they stored the “state” that determined the discount they offered in your browser… Opps

Thus for a while getting high end discounts was not a problem for some friends.

No I don’t buy on line, the only time I tried it was with Amazon and they could not get their couriers to deliver, so they charged me and did not deliver the goods… They still owe me money and lets just say lesson learned, and if an Amazon executive crook comes within the range of my boot cap then with a little luck they might learn something from their lesson 😉

xcv February 17, 2021 12:12 PM

@Clive Robinson

No I don’t buy on line, the only time I tried it was with Amazon and they could not get their couriers to deliver, so they charged me and did not deliver the goods… They still owe me money and lets just say lesson learned, and if an Amazon executive crook comes within the range of my boot cap then with a little luck they might learn something from their lesson 😉

“I buy local!”

Good grief! Ditch that picket sign. There’s a Mob at the post office holding up the Royal Mail.

Who? February 17, 2021 12:12 PM

@ uh, Mike

Some reading to enjoy your breakfast:

https://web.archive.org/web/20210115142340/https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf

I love when researchers try to make the vulnerabilities they discover ubiquitous in the name of the science.

Who? February 17, 2021 1:58 PM

@ Joe K

Glad to see you appreciate the link to the archived copy of this paper. As you can see, tables in this document provide information about Chrome, Safari, Edge, and Brave only (all these browsers are vulnerable). Details about Firefox are missing as the vulnerability was not available on it yet. They were looking for a “strike” in the web browsers world.

Mike February 17, 2021 2:28 PM

Most people who comment here don’t seem to be professional programmers.
People(programmers who don’t read such blogs but stackoverflow for sample code copy/paste!) who really build these websites are in outsourced countries like India where there is 0 concept of Privacy. Of course, product managers here in the US have no idea how the product works because they are mostly enjoying beaches in the USA letting these coders in the third world countries do whatever they want.

kin February 17, 2021 8:30 PM

@Clive Robinson

No I don’t buy on line, the only time I tried it was with Amazon and they could not get their couriers to deliver, so they charged me and did not deliver the goods… They still owe me money and lets just say lesson learned, and if an Amazon executive crook comes within the range of my boot cap then with a little luck they might learn something from their lesson 😉

Right on. Somebody I know had their account “deleted” due to some (legitimate) activity. No answer from any of the customer service people. Lost all of his video library. This was despite a $50k/year spend!!! Seems their automated AI flagged some gift cards or refunds or something like that. She slipped into depression due to that!

Peter A. February 18, 2021 2:30 AM

@kin: that’s why a subscription service is not a ‘video library’. It’s just a fancy TV channel, which can go out at any time. You only have a library of whatever if you control the copies and are able to make more copies or lend a copy to your friend. When you OWN the copies physically: paper books, vinyls, CDs, DVDs, hard drives, SD cards, whatever.

I am not a huge fan of recorded music or film, but I still have a small collection of old vinyls (haven’t played them for more than a decade!), CDs, DVDs and even a few loose files that I have downloaded. Yes, I sometimes watch or listen to something on YT and the like, go to cinema, or turn on the TV signal receiver, but I treat it as a one-time entertainment. If there’s something online I really like, I just make a local copy. I’ve also made copies of some CDs/DVDs I particularly enjoy. And I keep multiple backups. Nobody is going to deprave me of my favorite stuff, unless I’m really broke and could not care about it.

Joe K February 18, 2021 7:33 AM

I notice this morning that the link in Bruce’s original post to the
Solomos-Kristoff-Kanich-Polakis paper is no longer broken.

A notable difference between the archived version I had been reading,
and the version presently available on the co-author’s website, is the
inclusion of a statement from the Network and Distributed Systems
Security 2021 symposium Program Committee, and an appendix containing
the authors’ reply to that statement.

Since the issue these two additional statements address has been
alluded to in some of the commentary here, I will (with @Moderator’s
indulgence) transcribe their contents in two separate comments below.

My aim in so doing is to augment their accessibility.

Joe K February 18, 2021 7:37 AM

Statement from the NDSS (Network and Distributed Systems Security symposium) 2021 Program Committee:

NDSS is devoted to ethical principles and encourages the research
community to ensure its work protects the privacy, security, and
safety of users and others involved.

While NDSS 2021 PC appreciated the technical contributions of this
paper, it was the subject of a debate in our community regarding the
responsible disclosure of vulnerabilities for the Firefox web
browser.

The PC examined and discussed the ethics concerns raised and the
authors’ response. Although no harm came to users, the authors’
oversight could have made a non-vulnerable browser vulnerable to the
attack proposed in the paper.

The PC does not believe the authors acted in bad faith.
Nevertheless, we decided to add this note as well as the authors’
response (in an Appendix) to the paper because the NDSS PC takes
both the ethics of responsible disclosure and fairness towards the
authors seriously.

It is the PC’s view that researchers must not engage in disclosure
practices that subject users to an appreciable risk of substantial
harm. NDSS will work with other conferences to further improve the
transparency of vulnerability disclosure to reduce such errors in
the future.

Joe K February 18, 2021 7:40 AM

This is the authors’ reply to the program committee statement above,
as transcribed from the pdf once again available at the link in
Bruce’s original post.

Appendix

Here we provide additional details and context to clarify our
disclosure process.

Initially this project started by trying to understand how favicons
work in browsers, including how they are fetched, their
characteristics, how they are stored, etc. One of our earliest
discoveries was that in the case of Firefox even basic favicon
functionality didn’t seem to work correctly and that’s why we
submitted a bug report to Mozilla in February 2020. As such, we
focused our exploration on other browsers where basic favicon
functionality appeared to be working correctly.

As we continued our exploration, and after other ideas didn’t pan out,
we devised the tracking technique detailed in the paper. This was a
fairly straightforward technique to test and we ran experiments to see
which browsers were susceptible.

We informed all vulnerable browsers through reports in June 2020,
detailing our technique and the underlying issue — as we wrote in
the paper, “we have disclosed our findings to all affected
browsers”. This disclosure took place even before we submitted our
paper to NDSS in July 2020. We opted for a pre-submission disclosure
to give vendors ample time to address the issues we had uncovered.

We made our findings public many months later (February 2021) after
the camera ready version of our paper was accepted by NDSS. Not
notifying Firefox at that time was definitely an oversight, which was
a result of us focusing on which browsers were vulnerable and
notifying those. This wasn’t done to harm users in any way, nor was it
done to improve the paper’s impact as claimed by certain people
online. This is further corroborated by two facts:

  • We already explicitly mentioned in the paper that our attack didn’t work against
    at least one browser (Tor).
  • We didn’t notify Firefox even after our paper was accepted, at which point whether
    Firefox was vulnerable or not would obviously not improve the paper or change
    anything for us. Again, this shows that we simply (and unwisely) didn’t take
    Firefox into account during the disclosure process because it wasn’t susceptible
    to the attack. It wasn’t due to some elaborate or malicious plan.

We agree that we should have proactively notified Firefox to make sure that the attack
wouldn’t work no matter what changes they eventually made to their favicon
functionality.

In hindsight, this seems like a painfully obvious thing to do, but
this past year has been far from normal.

We hope that the conversations we had with the vulnerable vendors to
get this security bug fixed shows that we have the best interests of
web users at heart. This can also be seen by our track record of
responsibly disclosing our research, including two other disclosures
that Firefox was a part of in the past year alone.

Without an understanding of the larger context around our work, it’s
definitely understandable that people would get the impression that we
wanted Mozilla to introduce a weakness in their browser, but we trust
that members of our research community will be able to better evaluate
the situation. Neglecting to circle back with Mozilla about the
security issue that could be potentially introduced in their browser
was an oversight, and thankfully the overarching favicon flaw is now
well known and any fix to Firefox will include appropriate proactive
mitigations further ensuring that no users will be affected by this
vulnerability.

xcv February 18, 2021 9:15 AM

@Joe K

debate in our community regarding the
responsible disclosure of vulnerabilities for the Firefox web
browser

Not
notifying Firefox at that time

It’s more than just an ethical issue. Someone is taking full advantage of the said vulnerabilities for serious organized criminal purposes without properly disclosing the matters to the makers of the vulnerable software.

Software is “soft.” It’s supposed to be “vulnerable” to thieves and criminals.

The Establishment isn’t interested in offering us anything better.

MrC February 18, 2021 8:39 PM

Open question re Firefox’s partitioning scheme:

How does this interact with the way Google’s HTTP/2 protocol enables CDN tracking by design? From a cursory look at the description, it sounds like this Firefox change neutralizes this threat.

A related question: Can anyone summarize whatever became of the false start/snap start business from SPDY in the final HTTP/2 protocol? Are we still dealing with a protocol that wants to send data before hearing enough from the other endpoint to rule out MitM?

SpaceLifeForm February 19, 2021 2:00 PM

@ ALL

You can hide a lot of bits in a 16 pixel by 16 pixel favicon with 24 bit colour.

Visible to naked eye?

Not so much.

FYI February 21, 2021 5:14 AM

Some quick fixes are also:
No persistent caching.

Firefox had an option to disable favicons altogether, if still present much more specific than that network partitioning, which may or may not work as expected all the time. Newer Firefox has a bad habit of conditionally disabling security features, ie, for firefox-owned domains, during startup (newtab), etc…

Android, clearing Firefox’s/Any Browser’s app cache also clears favicons, usually. Options to either disable favicons or persistent caching may simply be ignored or not be available easily in android old or new firefox or at all to begin with, unfortunately.

@Clive: Rebates, explain a lot, thanks!

Rick Deacon February 22, 2021 5:04 PM

I love to see the use of favicons in research and this is interesting.

Notably, Apozy is using favicons for the inverse – to detect visual indicators of compromise. After distributed scanning of most of the known internet, we’ve created a visual hash database and a service to compare newly visited sites against existing sites. The favicon analysis occurs, comparing the two, quickly determining fakes.

I bring this up because it seems that research around these is gaining traction.

Old January 20, 2023 3:54 PM

Yet Another tracker to irritate and annoy.

I just do not get how my iphone/safari is unique. Even on test sites that havent seen every iphone sold that is a similar model to mine. Maybe that means the hash is skewed more for uniqueness by not having every iphone fingerprinted?

IF WE HAVE THE ABILITY and technology TO TRACK AND
PRINT – Why the hell do we NOT have ability to PREVENT/STOP it from happening? That is if I only want iphone/safari?

Too bad ALL such tracking is not attacked by the community like exploits, vulnerabilities, malware and viruses are.

This all just makes me so angry. :-\

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.