Browser 'Favicons' Can Be Used as Undeletable 'Supercookies' To Track You Online

Posted on Tuesday February 09, 2021  |  privacy, security

According to a researcher, favicons can be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. From a report: The tracking method is called a Supercookie, and it's the work of German software designer Jonas Strehle. "Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user," Strehle said on his Github. "The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers." Strehle's Github explained that he became interested in the idea of using favicons to track users after reading a research paper [PDF] on the topic from the University of Illinois at Chicago. "The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries," the paper explained. "In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons." To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild.