Cookies have been for years the resource of developers and advertisers to understand the user and their use preferences. This, however, is becoming more and more complicated due to blocking by browsers or the option of users to opt out of being tracked. The solution? Alternative methods, some as ingenious as using a web favicon to track the user.
Google announced the end of cookies in Chrome, Firefox blocks them by default and Apple for its part is already blocking any type of cookie tracking between websites on their devices. Other browsers are doing too on their side. These changes cause alternatives to be sought, some official by the companies and others not so much. In a new research published recently they have demonstrated a curious method to track the user: the icon of web pages.
The (seemingly harmless) icons on web pages: alternate to cookies
Favicons are the small icons of web pages that appear in the browser tabs, the list of favorites or bookmarks for example. For example, the Technoeager tab in the browser shows a red T similar to the full brand logo. These icons are intended to visually identify a website easier, but it is not the only job that can be done.
As software designer Jonas Strehle posted on GitHub with a proof of concept, this icon can be used to identify a user. Unlike traditional cookies, this method is not affected by using content blockers, VPN, incognito mode or preferences so as not to track the user.
Essentially what you do is take advantage of the favicon cache. By effect, the browser saves and stores the icon in a folder on the device when you access the web page for the first time. With this, you do not have to download it again the next time you access the web and you only have to check if it is already stored or not.
According to the research, since the web server can check whether or not the favicon is stored in the user’s local folder … it can also know which web pages it visits and when. This is because with each visit to a page you can know if it has been previously there or if it is the first time, thus making a browsing history.
These seemingly harmless icons are further proof that ingenuity is one of the few limits in the world of software and security. We have previously also seen how a third party can tell if you are browsing incognito or not just by looking at the data writing speed. Google for its part says that it already has an alternative almost as efficient.
More information | Supercookie