Tracking users with favicons, even in incognito mode
6 days ago
- #web-security
- #privacy
- #tracking
- Supercookie uses favicons to assign a unique identifier to website visitors, persisting even in incognito mode and resisting common clearing methods.
- The tracking method leverages the browser's favicon cache (F-Cache), creating a unique pattern based on delivered and undelivered favicons for specific URLs.
- All major browsers (Chrome, Firefox, Safari, Edge, Brave) across various operating systems (Windows, MacOS, Linux, iOS, Android) are vulnerable to this attack.
- The attack can scale by varying the number of bits (redirects), allowing distinction among 2^N unique users, where N is the number of redirects.
- Mitigation involves disabling the favicon cache or manually deleting F-Cache files, with specific instructions provided for Chrome, Safari, and Edge on different OS.
- The project, created for educational purposes, highlights tracking vulnerabilities and includes a demo setup requiring Docker or Node.js.