20 votes

Browser ‘favicons’ can be used as undeletable ‘supercookies’ to track you online

8 comments

  1. [2]
    petrichor
    Link
    Those aforementioned researchers at the University of Illinois tried to trick Mozilla developers into making Firefox vulnerable. More discussion is available at Hacker News, for those interested.

    Those aforementioned researchers at the University of Illinois tried to trick Mozilla developers into making Firefox vulnerable.

    More discussion is available at Hacker News, for those interested.

    17 votes
    1. cfabbro
      (edited )
      Link Parent
      Oof. If that is true, that is pretty despicable. The Bugzilla report was submitted by Kostas Solomos, and one of the authors of the paper is listed as Konstantinos Solomos.... so it definitely...

      Oof. If that is true, that is pretty despicable. The Bugzilla report was submitted by Kostas Solomos, and one of the authors of the paper is listed as Konstantinos Solomos.... so it definitely seems to be the case, and calls into question their supposed findings of Firefox being vulnerable. It also might explain why the paper suddenly disappeared from cs.uic.edu too.

      edit: When I ran the supercookie demo myself several times, I got the same ID each time, so it does actually seem to be working to some degree. However, when I ran it in private browsing and also after I cleared my cache I got different IDs, so at least some of their claims about the f-cache supercookie's persistence are demonstrably false.

      14 votes
  2. [3]
    Pun
    Link
    What surprised me is how such a seemingly innocuous feature could be used for tracking, let alone bypassing VPNs. Is this yet another browser fingerprinting technique or something more...

    What surprised me is how such a seemingly innocuous feature could be used for tracking, let alone bypassing VPNs. Is this yet another browser fingerprinting technique or something more significant?

    I've heard that Vice might not be the highest quality source for technology articles (correct me if I'm wrong), but they did quote a research paper and the creator of the supercookie.

    Another off-topic aside: I've never seen the title of a scientific paper stylised like that before.

    8 votes
    1. cfabbro
      (edited )
      Link Parent
      Edit: See @petrichor's comment, since it adds some details that VICE missed, and calls into question the veracity of the researchers' claims. I'm really not a fan of VICE, especially their...

      Edit: See @petrichor's comment, since it adds some details that VICE missed, and calls into question the veracity of the researchers' claims.

      I'm really not a fan of VICE, especially their political reporting, but IMO this article seems sound enough.

      Links, for those curious about the f-cache supercookie:
      GitHub: https://github.com/jonasstrehle/supercookie
      Demo: https://demo.supercookie.me/
      Paper (cache, since it was deleted): https://webcache.googleusercontent.com/search?q=cache:Oth9lKVEmNEJ:https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdf

      6 votes
    2. post_below
      Link Parent
      There are all sorts of ways to identify a user across sessions with reasonable accuracy. So in that sense the hype isn't warranted. This is a creative way to do it though, they deserve credit for...

      There are all sorts of ways to identify a user across sessions with reasonable accuracy. So in that sense the hype isn't warranted.

      This is a creative way to do it though, they deserve credit for coming up with it, and publishing it so browser makers can fix it.

      2 votes
  3. [3]
    Gub
    Link
    If this were to happen, wouldn't Mozilla or an add-on developer make a script to clear the favicon f-cache automatically?

    If this were to happen, wouldn't Mozilla or an add-on developer make a script to clear the favicon f-cache automatically?

    3 votes
    1. [2]
      Pun
      Link Parent
      That's what I was wondering, too. What have browsers tried to do to mitigate fingerprint surveillance? Can they stop sharing the information about the browser without breaking websites on the...

      That's what I was wondering, too. What have browsers tried to do to mitigate fingerprint surveillance? Can they stop sharing the information about the browser without breaking websites on the users' end?

      Whatever they try to do to protect the users' identity, advertising companies find new ways to identify the user. I feel like this cat and mouse game won't end without some laws preventing the snooping.

      3 votes
      1. NoblePath
        Link Parent
        Laws won’t stop the snooping. What we need instead are laws with stiff civil and criminal penalties for misuse of the data acquired (including losing it in a data breach).

        Laws won’t stop the snooping. What we need instead are laws with stiff civil and criminal penalties for misuse of the data acquired (including losing it in a data breach).

        4 votes