Favicons are incredibly useful for users, but the way they function can pose a privacy problem. New research shows favicons can bypass VPNs and other activity cloaking services.
The idea of a tabbed user interface (UI) has been around for decades, including inside lesser-known web browsers. But it wasn’t until Safari (2003) and Internet Explorer 7 (2006) were released that the common internet user became familiar with tabs. Now, instead of having 85 internet windows open, we have maybe two or three windows, each with 85 tabs on them. So how do we tell what each tab is and what we might have been using it for? Enter favicons, tiny logos in the corner of each tab to identify what website is on that page.
This is a good thing, right? It helps us keep track of what we are doing without having to click on each tab and wait for the page to reload. Most of us would agree that it simplifies our workday and helps us organize our tasks. The problem is, favicons can pose a security problem. Is nothing sacred? They could potentially let websites track your movement regardless of how you are browsing. Meaning a VPN doesn’t matter, incognito mode doesn’t matter, private mode doesn’t matter, any other way you might try to cloak your internet activity doesn’t matter. Your activity can be tracked by a Supercookie.
German software designer Jonas Strehle got the idea for researching favicons for tracking users after he read a research paper.
“The favicons must be made very easily accessible by the browser. Therefore, they are cached in a separate local database on the system, called the favicon cache (F-Cache).
“When a user visits a website, the browser checks if a favicon is needed by looking up the source of the shortcut icon link reference of the requested webpage. The browser initially checks the local F-cache for an entry containing the URL of the active website. If a favicon entry exists, the icon will be loaded from the cache and then displayed. However, if there is no entry, for example because no favicon has ever been loaded under this particular domain, or the data in the cache is out of date, the browser makes a GET request to the server to load the site’s favicon.
By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.”Strehle’s GitHub
For research purposes, Strehle set up a website that shows how easy it is to track a user online with a favicon. He’s also included an explanation of how supercookies work.
The biggest concern with this is how it bypasses methods used to mask internet activity. VPNs, dark mode, incognito mode, private mode, whatever method is being used is easily circumvented by the favicon. It is important to remember, though, that this is research. It’s proof-of-concept, this has not yet been seen in the wild. At least, as far as we know.
The other consideration with favicon being able to bypass those methods is if a threat actor can figure out how to exploit that access and do bad things. If they figure out a way to bypass VPNs, for instance, businesses worldwide will have to make some serious adjustments to their security protocols. Thankfully, that hasn’t happened, and VPNs have been around for a long time. For now, it’s up to the browsers to make adjustments. There are many privacy implications with this type of tracking, and until a fix is implemented, there will be some who will gather this information and use it to their ends.
For business leaders, your main goal in regard to this matter is to keep an eye out for a fix. As soon as it’s released, every browser on your system needs to be updated. Remember, it can’t wait. If you don’t fix it and a threat actor somehow figures out how to exploit this issue, your business is on the hook. Have a plan in place so that when the fix is rolled out, your team can get started as soon as possible.