2 min

The hack works even when users flush caches or go incognito.

For years, Intewrnet users have used a variety of tools to defend against websites tracking them. For example, they use anti-tracking browsing extensions, or they enable private or incognito browsing sessions, or they just clearing cookies and cache.

However, researchers have now found a way in which websites can evade all these countermeasures.

Favicons provide “a powerful tracking vector”

Researchers from the University of Illinois, Chicago have found a way in which websites can leverages favicons to create what they call a “powerful tracking vector.” Favicons are the tiny icons that websites display in browser tabs and bookmark lists. Websites use these small icons as a seemingly harmless branding method.

According to the paper published by the researchers Konstantinos Solomos, John Kristoff, Chris Kanich, and Jason Polakis, favicons are now dangerous. They have found that most browsers cache the favicon images in a location different from the ones used to store site data, browsing history, and cookies.

Websites who want to track visitors can leverage this fact by loading a series of favicons on visitors’ browsers that uniquely identify them.

“Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding,” the researchers explain. “Our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users,” they said.

Big Tech searches for a fix

The attack works against Chrome, Safari, Edge, and until recently Brave. That browser has developed an effective countermeasure after receiving a private report from the researchers.

Mozilla’s Firefox would also be susceptible to the technique, but currently there is a bug that prevents the favicon attack from working.

A Google spokesman told Ars Tecnicha the company is aware of the research and is working on a fix. An Apple representative, meanwhile, said the company is looking into the findings.

Until the browser providers develop fixes for this threat, users who want to protect themselves from tracking should try disabling the use of favicons.