- Three highly popular web browsers are vulnerable to persistent favicon-cache-based tracking.
- The attack is click-less and could be implemented by any website, leaving the target in the dark.
- Brave has fixed the issue before its publication, and Firefox is safe from it thanks to a bug.
Researchers from the University of Illinois, Chicago, have discovered a clever way to track Chrome, Safari, and Edge users by using favicons cached in the browser. Favicons are files that contain small icons (16 x 16) associated with particular websites or pages. They are supported by all modern browsers and are useful in indicating which website is active on each browser tab, so they are a convenience feature. As the researchers figured out, though, favicons are also a grave privacy liability.
As it seems, Chrome, Safari, and Edge are all storing the favicons persistently, even when using the incognito mode – so even if the user clears the browser’s cache, the favicons will remain stored.
Most of these don’t have an expiration date or expire after a full year, while only 8% will get flashed after a day. This makes them a potentially powerful tracking vector, so all that the team needed to do is develop an effective attack method.
The methodology involves planting a unique persistent identifier in the browser’s cache, which can be done by any website and without needing the user’s interaction or consent. The identifier will be dropped onto the browser’s cache even if the anti-tracking systems/extensions are active on the target’s system or even if VPN is used.
When the victim revisits the site that planted the identifier, the favicons of the websites that the user visited in the meantime will be retrievable and viewable by the attacker.
The above method is OS-agnostic, but it won’t work on Firefox due to a bug that is apparently preventing the attack. Also, at the time of the tests, Brave was found to be vulnerable too, but the privacy-conscious project has since plugged the hole by developing an effective countermeasure. The researchers have notified all browser developers, so they should fix this sooner or later.
More details about this novel attack will be presented by the researchers Kostas Solomos, John Kristoff, Chris Kanich, and Jason Polakis in the upcoming NDSS Symposium 2021. It took the team months to optimize their attack method and refine it adequately so that it works everywhere, so there’s a lot to be discussed. In the meantime, Chrome, Safari, and Edge users who want to mitigate this until fixes are out may just disable favicons caching for now.