That icons on your browser tracks you.

The hidden threat behind favicons.

Nothing looks more innocent than those little icons you see in the corner of your browser tabs, right ? Think again. They can potentially be tracking every one of your moves. And there is nothing we can do to stop them.

A new research from University of Illinois details how those icons, called favicons, do so.

What are favicons ?

Those 32x32-sized pixel images were introduced with HTML back in 1999.

They exist simply to help you figure out which tab is which. You may ask, what could go wrong ?

When you visit a webpage you haven’t been to before, your browser automatically realizes he hasn’t got a favicon for that particular page, so he downloads it and stores it in a specific favicon database. So that when you visit that same webpage again, your browser doesn’t need to go through the hustle of downloading it again.

Sounds pretty legit right ?

The reseach figured out that by introducing a number of automatic redirects between you, clicking the link, and the page actually loading, they could program a special favicon fingerprint that uniquely identifies you.

Think about it this way:

• When you visit a webpage you haven’t been to before, your browser downloads the favicon.
• When you already been there, your browser doesn’t download the favicon.

Therefore, a website can tell if you already visited a certain webpage or not.

The tracking method

By forcing your browser to visit a chain of webpages before to load the page you want, the website can secretely load a unique pattern of favicons into your browser.

A pattern in this scenario refers to a list of pages for which you have favicons in your database, or not. By utilizing a large number of redirects, website can store different patterns for each user. For example :

• 4 redirects (2⁴) = 16 patterns
• …
• 32 redirects (2³²) = 4,5 billion unique patterns

That’s about one single pattern for each person on earth with internet access. Note that 32 redirects might only add 2 seconds of loading time. The speedbump would not really be noticeable for most people.

A method called Supercookie

Called that way, because it used to identify you like a cookie. But those are way harder to get rid of (note for Europeans: it’s not GDPR compliant).

There is a website that demonstrates this technique: supercookie.me

By typing “demo” it will show you a number of redirects, slowed down a bit so you can see exactly what’s going on.

Notice how for some redirects a favicon appears on the corner, and for some others, you don’t get one. This combination is your unique favicon ID pattern.

The code of this app is open source and available on github, for educational purposes only.

How to stop being tracked ?

Interesting a tricky one. You can’t get around this by deleting your cookies, or cache. That won’t affect the database of favicons in any way. So there is no obvious and easy way to clear your favicons.

Not even incognito mode will help you as it uses the same favicon database.

So which browsers are affected by this issue ?

Safari and Chrome (and well.. Edge, if you’re that one guy still using it). Mobile versions of this browsers are affected as well.

But it doesn’t work on Firefox. I’ll get back to this later.

Google and Apple publicly declared that they are looking into fixing it. No other browser said anything on the topic other than BRAVE, who already fixed it.

So what about Firefox ? The supercookie doesnt work on it either. Well, they didnt intentionnaly fix it, but rather there is a bug in the browser.

For some reason, it downloads the favicon everytime you visit a page and doesnt check its internal favicon database. The catch it that the researchers at the University reported the bug to Firefox.

Conclusion

This is a serious thing and can be used by any website. There isn’t much you can do about it as a user, except disable favicons or using Brave / Firefox.

One other thing that you can do is to use a VPN.