Jump to content
Not connected, Your IP: 3.235.41.241
ProphetPX

Web Browser FAVICON "SuperCookies" can TRACK people with UNIQUE IDs

Recommended Posts

Web Browser FAVICON "SuperCookies" can TRACK people with UNIQUE IDs and BYPASS VPN protections
https://it.slashdot.org/story/21/02/09/1920256/browser-favicons-can-be-used-as-undeletable-supercookies-to-track-you-online

i do not think AirVPN does currently has a web browser add-on or plugin. And I do not know of any others that offer protection against this "new" TECH of FavIcon supercookies which use a UNIQUE ID to track people browsing on the web.

So now what do we do?
 

Quote

According to a researcher, favicons can be a security vulnerability that could let websites track your movement and bypass VPNs, incognito browsing status, and other traditional methods of cloaking your movement online. From a report: The tracking method is called a Supercookie, and it's the work of German software designer Jonas Strehle. "Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user," Strehle said on his Github. "The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers."

Strehle's Github explained that he became interested in the idea of using favicons to track users after reading a research paper [PDF] on the topic from the University of Illinois at Chicago. "The complexity and feature-rich nature of modern browsers often lead to the deployment of seemingly innocuous functionality that can be readily abused by adversaries," the paper explained. "In this paper we introduce a novel tracking mechanism that misuses a simple yet ubiquitous browser feature: favicons." To be clear, this is a proof-of-concept and not something that Strehle has found out in the wild.


 

Share this post


Link to post

I don't see it bypassing VPN protections as it does nothing to packet security and integrity, so mind your words.
At first glance, while the concept of supercookies is not, using favicons is rather new to me.
 

17 hours ago, ProphetPX said:

So now what do we do?


Don't lose your mind, that's very important. There is no protection now, but there's also no attacker now. ;)

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Hello!

Well, saying that favicons are "undeletable" is a tiny overstatement. They are not written once and for all in a PROM. 😋

Check where your browser keeps favicons and delete them, when it's not possible to reject them trivially in browser's settings. For example, latest Firefox releases can't be configured to not to ask for favicons (in the past, that was possible). Firefox and Thunderbird keep an SQLite db for them in your profile. For example:

$ find ~ -type f -name '*avicon*'  
/home/myuser/.mozilla/firefox/blabla.default-release/favicons.sqlite
/home/myuser/.mozilla/firefox/blabla.default-release/favicons.sqlite.wipemeoutbeforeyougogo
/home/myuser/.mozilla/firefox/blabla.default-release/favicons.sqlite-wal
/home/myuser/.thunderbird/blabla.default/favicons.sqlite
/home/myuser/.thunderbird/blabla.default/favicons.sqlite-wal


But check the cache too just in case (and incidentally remember that Tor browser does NOT block favicons and that Firefox actually issues requests to re-fetch favicons that are already present in the cache.)
 

to be clearer, currently you are already protected against favicons based tracking & fingerprinting if you run Firefox or the Tor browser


https://tor.stackexchange.com/questions/21940/will-tor-block-favicons-by-default

While Firefox and Thunderbird don't run, rename those files for your tests, nuke the cache, and you'll see that nothing breaks except favicons (but verify by yourself). You can also inspect the db to check more thoroughly, and you can to keep a script that "takes care" of them whenever you need it.

A quick and dirty solution is also creating a new account, do what you need to do in single or selected web sites (with Tor browser or anyway without allowing scripts if necessary, and following identity separation and any other good practice), and wipe it out after usage.

Kind regards

 

Share this post


Link to post
On 2/10/2021 at 6:45 AM, ProphetPX said:


i do not think AirVPN does currently has a web browser add-on or plugin. And I do not know of any others that offer protection against this "new" TECH of FavIcon supercookies which use a UNIQUE ID to track people browsing on the web.

So now what do we do?
 


 


Hello!

Just use Brave, Firefox or the Tor Browser (Tor browser appears as the best choice):
https://tor.stackexchange.com/questions/21940/will-tor-block-favicons-by-default

EDIT: also avoid to browse via Thunderbird.

See also the previous message.

Kind regards
 

Share this post


Link to post
On 2/11/2021 at 12:40 AM, OpenSourcerer said:

There is no protection now, but there's also no attacker now. ;)


Hello!

This is incorrect, Tor Browser has been protecting you against this attack since years ago. Currently, Brave and Firefox are quite effective, according to the paper itself. However, the author considers Firefox ability to make the attack fail as a side effect of a bug.

The attack itself is quite well known, although in the recent past it focused on big LSOs spread throughout various HDD locations and not trivially erasable by the average user to be more effective, because Flash was used by the majority of users.

Kind regards
 

Share this post


Link to post
Posted ... (edited)

wow man i LOVE Smart People -- you guys are great!!   But when you say to run Firefox, does that mean ONLY in Incognito mode? Or can it be run WITHOUT Incognito mode and yet STILL be "SAFE" against this kind of attack?

Because as a side example, it has been proven (sorry i saw the headline but cannot cite source right now)  that Google Chrome browser ALSO STILL TRACKS people ... and Google is the one still doing the tracking, even in and during their own "privacy" feature.  I do not hardly ever use Chrome (NOR the new MS Edge/chromium browsers either).

So is Mozilla also being evil and tracking me like Google does in Chrome, but just using Favicons??

 

Edited ... by ProphetPX
oops forgot some things

Share this post


Link to post
@ProphetPX

Hello!

Firefox is immune even in "normal" mode because it re-issues requests for Favicons even when they are cached, so it smashes the attack down very radically. :)

According to the paper author this is a bug, but call it a bug or a feature, Firefox is not vulnerable.

About Google Chrome tracking techniques, as well as Google pervasive tracking and profiling... we'll leave this relatively complex and very broad matter to the community. It has been discussed in the community forums in the past as well, if we are not mistaken.

Kind regards





 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...