Favicons can be used as supercookies

Favicons can be used as supercookies
Favicons (favorite icons) are the small images that each browser displays in bookmarks and on open tabs to allow identification of the corresponding site (usually a logo). A security researcher has discovered that these icons can be used to track the user while browsing. The technique used by the author is called Supercookie.

Big vulnerability in small images

Favicons are small .ico images (usually 16 × 16 or 32 × 32 pixels) that are loaded by the server that hosts the site through an attribute inserted in the header of the web page. Favicons must be easily accessible from the browser, so they are stored in an F-Cache which includes URL, favicon ID and life time.

When a user visits a website, the browser loads the favicon from the Local F-Cache. If it does not exist, the browser makes a request to the server, for each of which you can assign a unique identifier that allows you to track the browser and therefore the user. The vulnerability is present in all major browsers.

The problem is that this "supercookie" is persistent and cannot be easily deleted by the user. The tracking method also works if private browsing (anonymous or incognito) is used and if the fingerprinting blocking feature is enabled. You don't even need to install an ad-blocker or a VPN.

The only way to avoid tracking is to change how the F-Cache works. The researcher published the source code of the tracking technique on GitHub. A demo shows how the browser's unique identifier is generated.

Source: GitHub