Researchers at the University of Chicago warn against a method of tracking users on the Internet using favicons . These are icons that give domains to make them easily identifiable in the interface.
The researchers claim that a malicious domain stores a specific combination of favicons on a user’s machine and tracks them. The favicons are stored in several popular browsers in a cache that is not cleared or sidelined in private browsing .
This allows a domain to track a specific user, even if they block cookies, private browsing, and thwart other fingerprinting techniques. Browsers report the presence of a relevant cached favicon to the website they visit in order to save bandwidth.
A rogue website places a certain combination of favicons on a target’s system, by which they can then be recognized on a repeat visit. The greater the amount of visitors a website has, the more different favicons and redirects along subdomains with favicons are needed.
However, even with a website needing to track nearly 4.3 billion unique browsers, 32 redirects are enough. According to a calculation example provided by the researchers, this can be done in two seconds.
The researchers have notified the makers of the affected browsers. Those are Chrome, Safari and Edge. Google says it is already working on a fix, Apple says it is looking at the findings of the investigation and Microsoft was not available on time, said Ars Technica .
The Brave Browser was also susceptible, but the creators of that browser fixed the vulnerability. Firefox is actually also in the list of affected browsers, but due to a bug, the exploit does not work with that browser. As a workaround, users could turn off favicons, although it should be ensured that they are not actually saved and not just not displayed.