A group of researchers from the University of Illinois at Chicago recently released a research report titled ‘Tales of Favicons and Caches: Persistent Tracking in Modern Browsers’. It turns out that third parties can use Safari browser’s cache function supporting Favicons to identify and track users. Even if the user switches to incognito mode, installs an ad blocking mechanism, or even clears the cache, it doesn’t help.
Favicon is the abbreviation of Favorites Icon. It refers to the icon of the webpage. It is a webpage icon that website operators design. When the user opens the tab in the browser, the icon that appears on the tab is Favicon.
Also Read: Global Browser Wars
The researchers pointed out that there is a cache dedicated to Favicons in the cache function of modern browsers. It is not an HTTP cache. So there will be no change even when the user deletes the browser cache, history or data. In addition, it did not properly isolate the incognito mode, and the shelf life was as long as one year.
New Mechanism For Tracking
Therefore, the researchers designed a brand new tracking mechanism. It uses the characteristics of Favicons, combined with many fingerprint attributes of the browser. This allows the website to build a 32-bit tracking identifier within 2 seconds.
This tracking mechanism can break through the anti-tracking defenses of all modern browsers that use Favicons cache, including Chrome, Safari, and even Brave. Even if the user clears the cache, installs ad blocking extensions, and restarts the system, it cannot prevent tracking of this mechanism. For Firefox, the researchers said that they accidentally discovered a bug in Firefox during the test, which caused the attack to fail. However, we believe that after Firefox fixes the bug, it can successfully track Firefox users.
Researchers suggest that browsers should change their favicons caching method to prevent related tracking. Browser operators have also got the research results.