The tiny icons that appear at the start of browser (opens in new tab) tabs may be easy to ignore but they could be secretly tracking you across the internet.
That’s the opinion of German software designer Jonas Strehle, who has explored using favicons as part of a 'Supercookie' tracking method.
Perhaps most worrying of all, this method of tracking online users (opens in new tab) could be used to track an individual’s movements regardless of whether they have employed a business-grade VPN (opens in new tab) solution, are browsing in incognito mode, or adopting other online privacy methods.
- We've built a list of the best VPN (opens in new tab) services available
- Check out our roundup of the best anonymous browsers (opens in new tab)
- Also, these are the best proxy service providers (opens in new tab) on the market
“A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made,” Strehle explained (opens in new tab).
“If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.”
Fortunately, the tracking method examined by Strehle is just a proof-of-concept and no examples of the Supercookie mechanism have been discovered in the wild. Still, it demonstrates how the complexity that is now built into most modern web browsers (opens in new tab) can be hijacked by threat actors.
Researchers from the University of Illinois have come to similar a conclusion as Strehle and argue that changes to browsers’ favicon caching behavior should be implemented as soon as possible to limit its tracking potential. Currently, because favicons must be made easily accessible to the browser they are stored in a separate local database, making them ideal pickings for rogue actors.
Although privacy is becoming more important to many organizations, employee monitoring apps (opens in new tab) are still used by some firms and as many as one in five (opens in new tab) businesses have admitted to spying on employees while they work from home.
- We've also highlighted the best antivirus (opens in new tab)
Via VICE (opens in new tab)