Web Tracking Using Favicons

Four researchers from the University of Illinois at Chicago have found a way to track users using Favicons.

---

In a paper that was published in early 2021, researcher Konstantinos Solomos, John Kristoff, Chris Kanich and Jason Polakis discovered a way to track users using favicons.

Every time you visit a website, part of the request includes a favicon, which are small images used typically to display a page icon in your browser tab. The paper found that “a website can track users across browsing sessions by storing a tracking identifier as a set of entries in the browser’s dedicated favicon cache, where each entry corresponds to a specific sub-domain.”

“In subsequent user visits the website can reconstruct the identifier by observing which favicons are required by the browser while the user is automatically and rapidly directed through a series of subdomains.”

It turns out, users cannot clear the favicon cache by deleting their browsing history, and can still be tracked if they are using VPN or browsing through icognito mode.

The researchers found this attack affects all browsers, which includes Chrome and Safari.

The paper is titled, Tales of FAVICONS and Caches: Persistent Tracking in Modern Browsers and it’s worth a read. YouTuber censiCLICK has made a 5 minute video that explains the threat in a easier to understand format that can be watched below.