You are probably familiar with favicons, small (16×16 pixel) icons associated with websites. The icon is typically displayed on the browser tab of the website you are visiting. However, you are probably not aware that multiple favicons could be used to fingerprint and track devices as you visit websites.
A new research from the University of Illinois [*] explores how malicious actors can utilize the innocuous and widespread browser functionality of favicons as a vehicle for fingerprinting and tracking devices.
Their technique exploits the fact that a favicon is downloaded automatically into a favicon-specific cache (F-cache) when a browser accesses a website. The F-cache cannot be emptied by clearing browser history and regular cookies cache. When a user visits a website enabled with the novel tracking algorithm, the user is redirected through multiple subdomains, each serving a different favicon. Each browser will only download a select portion of the favicons available from the total redirects. The controlled redirects allow for creating an identifier capable of reidentifying the browser across visits where the presence or absence of a given favicon corresponds to 1 and 0, respectively, in the identifier.
On subsequent visits, the website can then reconstruct an identifier for each device by looking at the unique combination of favicons downloaded in comparison to the total number of possible favicons contributed across all redirects. To track 4.5 billion unique browsers, it would require a 32-bit tracking identifier or 32 redirections, adding just about 2 seconds to normal load times most users will not likely perceive. Besides, the redirections don’t need to happen at page load time, and techniques could be used to obfuscate them.
The new browser tracking method is immune to existing tracking countermeasures, including private browsing sessions. The researchers propose changes to how browsers cache favicons to protect against this kind of fingerprinting and tracking, and they have informed browser developers as to their findings and conclusions.
The potential misuse and abuse of an aspect of browser functionality most users barely even notice once again underscores the arms-race nature between security professionals and malicious actors and the need for everyone to take information security seriously.
[*] https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf