These tiny icons could be tracking you across the internet

(Image credit: Shutterstock / Valery Brozhinsky)

The tiny icons that appear at the start of browser tabs may be easy to ignore but they could be secretly tracking you across the internet. 

That’s the opinion of German software designer Jonas Strehle, who has explored using favicons as part of a 'Supercookie' tracking method.

Perhaps most worrying of all, this method of tracking online users could be used to track an individual’s movements regardless of whether they have employed a business-grade VPN solution, are browsing in incognito mode, or adopting other online privacy methods.

“A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made,” Strehle explained.

“If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.”

Privacy problems

Fortunately, the tracking method examined by Strehle is just a proof-of-concept and no examples of the Supercookie mechanism have been discovered in the wild. Still, it demonstrates how the complexity that is now built into most modern web browsers can be hijacked by threat actors.

Researchers from the University of Illinois have come to similar a conclusion as Strehle and argue that changes to browsers’ favicon caching behavior should be implemented as soon as possible to limit its tracking potential. Currently, because favicons must be made easily accessible to the browser they are stored in a separate local database, making them ideal pickings for rogue actors.

Although privacy is becoming more important to many organizations, employee monitoring apps are still used by some firms and as many as one in five businesses have admitted to spying on employees while they work from home.


Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.