Most often than not, we have a gazillion tabs open in our web browsers, and it is only then that we realise the importance of the small icons on each tab. These life-saving icons are known as Favicons. They are quintessential for any serial tab opener, but can these innocent looking images be used to track users on the Internet?
In this article, we will talk about Favicons in detail and understand if they can be used to track your movement on the Internet.
What are Favicons?
As mentioned earlier, Favicons are tiny images accompanying a website’s name on a browser’s tab. Although Favicons might look like a gimmick to the end-user, they help users identify websites quickly and also aid in creating a brand image for the website.
In addition to this, Favicons can be seen in browser history pages, bookmarks and even in search bar recommendations. So wherever you go on the web, a Favicon will probably follow you.
How do Favicons work?
When you visit a website for the first time, your web browser sends a request to a webserver to fetch the Favicon images for that website. These Favicon images are then stored locally in a particular cache called the Favicon cache (F-cache). In addition to all this, the F-cache also holds the following information.
- Favicon ID and its time to live.
- Data entries for URL parameters.
- Domains and sub domains visited.
As the F-cache does not store cookie data which can be used to identify users on the Internet, these caches are not cleared when you clear your browser’s cache. Due to this reason, Favicon images of the websites you visit are permanently stored on your system.
Can Favicons be used to track people on the Internet?
According to the research paper Tales of FAVICONS and Caches: Persistent Tracking in Modern Browsers written by the University of Illinois, Favicons can indeed be used to track users on the Internet.
The paper also shows that this method of tracking works even if users use anti-tracking techniques. These include browsing in Incognito mode, using a VPN, clearing the browser cache or even using anti-tracking add ons which prevent browser fingerprinting. Most browsers have fallen prey to this attack vector as far as browsers go. A list of affected browsers along with their versions is given below.
The paper’s writers informed browser developers about the attack vector as a standard research practice. The develop[ers at Brave fixed how the F-cache functions, protecting users from the attack. Firefox was also protected from the attack as the browser requests Favicons even if it is cached in the F- cache.
Also read; What is Google Floc? Is it intrusive?
How does Favicon tracking work?
Taking inspiration from the research paper, Jonas Strehle, a German software developer, created a Github repository supercookie that shows how the attack can be implemented. Not only this, users can visit this website to witness the attack first-hand.
As mentioned earlier, your browser requests Favicons every time you visit a website for the first time. If you have visited a website before, Favicons are retrieved from the cache. This difference in request behaviour can identify users on the Internet.
All in all, Favicon tracking is dangerous as it works even when users try to protect themselves by using anti-tracking techniques. That said, representatives from Google and Apple have mentioned that they are aware of the attack and are trying to fix the issue at hand.
Also read: How to configure sleeping tabs on Edge?