Web Browser FAVICON "SuperCookies" can TRACK people with UNIQUE IDs

[ProphetPX 1]

Web Browser FAVICON "SuperCookies" can TRACK people with UNIQUE IDs and BYPASS VPN protections
https://it.slashdot.org/story/21/02/09/1920256/browser-favicons-can-be-used-as-undeletable-supercookies-to-track-you-online

i do not think AirVPN does currently has a web browser add-on or plugin. And I do not know of any others that offer protection against this "new" TECH of FavIcon supercookies which use a UNIQUE ID to track people browsing on the web.

So now what do we do?
 

Quote

According to a researcher, favicons can be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. From a report: The tracking method is called a Supercookie, and it's the work of German software designer Jonas Strehle. "Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user," Strehle said on his Github. "The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers."

Strehle's Github explained that he became interested in the idea of using favicons to track users after reading a research paper [PDF] on the topic from the University of Illinois at Chicago. "The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries," the paper explained. "In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons." To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild.

 

[OpenSourcerer 1435]

I don't see it bypassing VPN protections as it does nothing to packet security and integrity, so mind your words.
At first glance, while the concept of supercookies is not, using favicons is rather new to me.
 

17 hours ago, ProphetPX said:

So now what do we do?

Don't lose your mind, that's very important. There is no protection now, but there's also no attacker now.

[Staff 9973]

Hello!

Well, saying that favicons are "undeletable" is a tiny overstatement. They are not written once and for all in a PROM. 😋

Check where your browser keeps favicons and delete them, when it's not possible to reject them trivially in browser's settings. For example, latest Firefox releases can't be configured to not to ask for favicons (in the past, that was possible). Firefox and Thunderbird keep an SQLite db for them in your profile. For example:

$ find ~ -type f -name '*avicon*'
/home/myuser/.mozilla/firefox/blabla.default-release/favicons.sqlite
/home/myuser/.mozilla/firefox/blabla.default-release/favicons.sqlite.wipemeoutbeforeyougogo
/home/myuser/.mozilla/firefox/blabla.default-release/favicons.sqlite-wal
/home/myuser/.thunderbird/blabla.default/favicons.sqlite
/home/myuser/.thunderbird/blabla.default/favicons.sqlite-wal

But check the cache too just in case (and incidentally remember that Tor browser does NOT block favicons and that Firefox actually issues requests to re-fetch favicons that are already present in the cache.)

to be clearer, currently you are already protected against favicons based tracking & fingerprinting if you run Firefox or the Tor browser

https://tor.stackexchange.com/questions/21940/will-tor-block-favicons-by-default

While Firefox and Thunderbird don't run, rename those files for your tests, nuke the cache, and you'll see that nothing breaks except favicons (but verify by yourself). You can also inspect the db to check more thoroughly, and you can to keep a script that "takes care" of them whenever you need it.

A quick and dirty solution is also creating a new account, do what you need to do in single or selected web sites (with Tor browser or anyway without allowing scripts if necessary, and following identity separation and any other good practice), and wipe it out after usage.

Kind regards

[Staff 9973]

On 2/10/2021 at 6:45 AM, ProphetPX said:

i do not think AirVPN does currently has a web browser add-on or plugin. And I do not know of any others that offer protection against this "new" TECH of FavIcon supercookies which use a UNIQUE ID to track people browsing on the web.

So now what do we do?
 

 

Hello!

Just use Brave, Firefox or the Tor Browser (Tor browser appears as the best choice):
https://tor.stackexchange.com/questions/21940/will-tor-block-favicons-by-default

EDIT: also avoid to browse via Thunderbird.

See also the previous message.

Kind regards
 

[Staff 9973]

On 2/11/2021 at 12:40 AM, OpenSourcerer said:

There is no protection now, but there's also no attacker now.

Hello!

This is incorrect, Tor Browser has been protecting you against this attack since years ago. Currently, Brave and Firefox are quite effective, according to the paper itself. However, the author considers Firefox ability to make the attack fail as a side effect of a bug.

The attack itself is quite well known, although in the recent past it focused on big LSOs spread throughout various HDD locations and not trivially erasable by the average user to be more effective, because Flash was used by the majority of users.

Kind regards
 

[ProphetPX 1]

wow man i LOVE Smart People -- you guys are great!!   But when you say to run Firefox, does that mean ONLY in Incognito mode? Or can it be run WITHOUT Incognito mode and yet STILL be "SAFE" against this kind of attack?

Because as a side example, it has been proven (sorry i saw the headline but cannot cite source right now)  that Google Chrome browser ALSO STILL TRACKS people ... and Google is the one still doing the tracking, even in and during their own "privacy" feature.  I do not hardly ever use Chrome (NOR the new MS Edge/chromium browsers either).

So is Mozilla also being evil and tracking me like Google does in Chrome, but just using Favicons??

 

Edited ... by ProphetPX
oops forgot some things

[Staff 9973]

@ProphetPX

Hello!

Firefox is immune even in "normal" mode because it re-issues requests for Favicons even when they are cached, so it smashes the attack down very radically.

According to the paper author this is a bug, but call it a bug or a feature, Firefox is not vulnerable.

About Google Chrome tracking techniques, as well as Google pervasive tracking and profiling... we'll leave this relatively complex and very broad matter to the community. It has been discussed in the community forums in the past as well, if we are not mistaken.

Kind regards