What is a 'super cookie' that tracks users with the browser's Favicon?


Favicon displayed on the tabs of the browser is an important icon as a symbol of the site. However, in this favicon Cookie (cookie) When a user that can keep track of the 'super cookie' problem is lurking as, researchers have warned.

Tales of Favicons and Caches – Persistent Tracking in Modern Browsers
(PDF file) https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf

supercookie • workwise

A favicon is a small icon that appears next to a tab or URL as a symbol of your site.

In January 2021, security researchers at the University of Illinois at Chicago were able to identify users by exploiting favicon and perform unavoidable tracking by clearing caches or using secret mode. I published a research paper. In addition, German software developer Jonas Strehle, who read this treatise, confirmed that it was possible to actually track users using a favicon, and published the method under the name of 'super cookie'. ..

According to Strehle, the favicon is stored in a local area called the 'favicon cache (F-cache)' so that the browser can easily view it at any time. The F-cache contains information such as the URL of the site you visited, the favicon ID, and their expiration date, Time to live (TTL) .

By using this F-cache, web developers can set a favicon for each subdomain or page so that users can see the page they are viewing at a glance. However, if this F-cache is abused, it will be possible to determine what kind of page the user has viewed, so it will be possible to track the user with high accuracy. This method is called 'super cookie'.

Regarding the mechanism of super cookie, Strehle said, 'When the browser accesses the server, if the favicon is in the local F-cache, no further requests will be sent. On the other hand, if it is not in the F-cache, it will request the favicon. The request is sent, so you can assign a unique identifier to the client by recording the requested request and accumulating information about what favicon is already cached. ' ..

Strehle has also created a demo site that briefly shows how super cookies actually work.

supercookie • welcome

The following is the access to the above URL. Click To the Demo! To start the demo.

Then, the browser reloads many times ...

The identification number of the browser you accessed is displayed.

In addition, since the above site is just a demo, the identification number will change if you clear the cache of the browser, but it is possible to continue tracking the actual super cookie even if you clear the cache.

The following are 'identification accuracy', 'detection of secret mode and private mode', 'persistence after clearing the cache and cookies of the browser', 'identification of multiple windows', and 'avoidance of tracking measures' in order from the top. This is a table comparing (left) and super cookie (right). According to Strehle, normal cookie tracking can be prevented by clearing your browser's cookies, using a VPN , or using anti-tracking extensions, but super cookies cannot be prevented and are 100% accurate. It's perfect.

In addition, the following is a table summarizing whether tracking by super cookie can be performed with major browsers that can be used with each OS. Chrome and Safari are affected by super cookies on all available operating systems, and Firefox is also a prey to super cookies when used on a PC.

Brave is the only one that is not eligible for super cookies ...

It was said that Brave will also be tracked by super cookies in the old version.

in Security, Posted by log1l_ks