No time right now?
Researchers at the University of Illinois have developed a new supercookie based on favicons. This is also completely unimpressed by modern blockers and anonymization methods.
Based on the concept of the researchers from Chicago in the USA, the German software developer Jonas Strehle built a working demo and named it Super cookie published on GitHub. The demo shows how easily the actually unsuspicious favicons, which graphically represent the accessed page in the address bar of the visitor browser and therefore have no real function, can be misused to identify users.
Favicon cache outlasts delete command
The approach to misuse the favicons for tracking is based on a special feature of the browser cache. It is not homogeneous, but rather fragments into many special caches, including one for the favicons. And this cache is not affected by the delete command even if the user deletes the browser cache manually and thus explicitly. Once saved, favicons remain on the user system.
The researchers’ supercookie concept is now based on giving the user a diverse set of different favicons over various subdomains on their first visit. They then remain on the computer and are not retrieved the next time you visit the site.
The supercookie concept misuses this fact. The procedure is such that when you visit a correspondingly collecting page, you don’t just rely on the favicon cache in order to avoid unnecessary page requests. Rather, the server determines which favicons are not retrieved by the visitor browser, i.e. which are already available.
Unique ID possible via favicon
In this way, the researchers were able to prove that a desktop browser could be loaded with a twelve-bit ID in an average of one second, while reading out took twice as long. Double the time was required with mobile browsers. According to the researchers, a clear identification took around four seconds.
If you combine the favicon supercookie with other fingerprinting techniques, the relatively long writing and reading times can be reduced, because the clear identification does not have to be done by favicon tracking alone.
Browser so far powerless
From the point of view of a data collector, favicon tracking is a solid idea to still make users clearly identifiable in times of increasingly strict tracking protection. Because the common protective measures in current browsers such as Firefox or Safari and even Brave do not protect against the method. Even the brand new Firefox, which is specifically committed to combating supercookies, should be outsmarted with the method from Illinois.
Because the new Firefox creates a unique set of caches for each website that cannot be used by other websites. The browser assumes the top-level site as the partition level. The Illinois concept works with subdomains and should not have any problems with the partitioned Firefox cache in this way. Other techniques, such as switching on incognito mode or using VPN services for anonymization, do not protect against the new method at all.
Fingerprinting cannot be completely avoided
It looks like there is little that users can do about this type of supercookie at the moment. It therefore seems all the more gratifying that there is so far no evidence that the technology is actually already being actively used. This gives browser manufacturers a time window in which they can react to the still theoretical threat.
We cannot hope for too much here. The end of the cookie only means that developers (have to) throw themselves more and more into fingerprinting methods. And this fingerprinting cannot be completely prevented. Browsers must be able to identify themselves to websites. Accordingly, there will continue to be a constant race between data collectors and data protectionists.