I Always Feel Like Somebody’s Watching Me
Move over LSOs and get out of the way super cookies, there’s a new way to track people’s movement on the internet that works on just about every browser. It’s those cute little favicons that appear just beside that HTTPS verification symbol and in your favourites which are now being used in tandem with other footprints you need to be aware of now.
Ars Technica published a look at the findings of a group of security researchers that reveals how a couple of invisible redirections can allow a site to track billions of individual machines. To make the news even better, those little buggers are not stored in the same place as cookies or your history. The pièce de résistance is the process by which your browser caches these favicons means that even if you are using your browser’s incognito mode you are still able to be tracked, all your history is still intact and the private browsing session will be added to it.
Thanks to many sites having different favicons across the same domain, a couple of quick redirects between you clicking the link or bookmark and the site loading your requested page allows them to link a variety of computer fingerprints, such as your screen resolution, fonts, and software versions to the combination of favicons displayed in those redirects. The article suggests 32 redirections are enough to uniquely identify 4.5 billion different browsers.
At the moment Brave is secure from this tracking technique and Firefox happens to be due to an unpatched bug which breaks the use of favicons in this manner. As to the rest, we can hope for a quick patch to be released soon.
The prospect of Web users being tracked by the sites they visit has prompted several countermeasures over the years, including using Privacy Badger or an alternate anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now, websites have a new way to defeat all three.