jonasstrehle/supercookie: ⚠️ Browser fingerprinting via favicon!

supercookie Favicons are used to assign a unique identifier to website visitors.
Unlike traditional tracking methods, this ID can be stored almost constantly and cannot be easily cleared by the user.

The tracking method works even in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN, or installing adblockers. 🍿Live Demo.

This is for storage educational And display purpose Only!

The purpose of publishing the source code of this repository along with the demo of “Supercookie” is to draw attention to the problem of tracking prospects using favicons.

📕 Full Document

requirements,
docker daemon

1. clone repository

git clone https://github.com/jonasstrehle/supercookie

2. Update .env file in supercookie/server/.env

HOST_MAIN=yourdomain.com #or localhost:10080
PORT_MAIN=10080

HOST_DEMO=demo.yourdomain.com #or localhost:10081
PORT_DEMO=10081

3. run container

cd supercookie/server
docker-compose up

-> The webserver will run on https://yourdomain.com

requirements,
node.js

1. clone repository

git clone https://github.com/jonasstrehle/supercookie

2. Update .env file in supercookie/server/.env

HOST_MAIN=localhost:10080
PORT_MAIN=10080

HOST_DEMO=localhost:10081
PORT_DEMO=10081

3. run service

cd supercookie/server
node --experimental-json-modules main.js

-> The webserver will run on http://localhost:10080

Modern browsers offer a variety of features to improve and simplify the user experience. One of these features are the so-called favicons: a favicon is a small (usually 16×16 or 32×32 pixels) logo that is used by web browsers to brand a website in a recognizable way. Favicons are usually shown next to the page name in the address bar and in the list of bookmarks by most browsers.

To serve a favicon on your website, the developer must include an attribute in the header of the webpage. If this tag is present, the browser requests the icon from the predefined source and this icon is displayed by the browser if the server response contains a valid icon file that can be rendered properly. In any other case, a blank favicon is shown.

<link rel="icon" href="/favicon.ico" type="image/x-icon">

The favicon should be made very easily accessible by the browser. Therefore, they are cached in a separate local database on the system, called the favicon cache (F-cache). F-Cache data entries include the URL visited (subdomain, domain, root, URL parameters), favicon ID, and time to dwell (TTL). While this provides web developers with the ability to delineate parts of their website using a variety of icons for individual routes and subdomains, it also leads to a potential tracking scenario.

When a user visits a website, the browser checks whether a favicon is required by looking at the source of the shortcut icon link reference of the requested webpage. The browser initially checks the local F-cache for an entry containing the URL of the active website. If the favicon entry exists, the icon will be loaded from the cache and then displayed. However, if there is no entry, for example because no favicon has ever been loaded under this particular domain, or the data in the cache is out of date, the browser makes a GET request to the server to load the site’s favicon.

The article describes a potential threat model that allows each browser to assign a unique identifier to draw conclusions about the user and enables to identify this user even in case of applied anti-fingerprint measures such as VPN use, deletion of cookies, deletion of the browser cache or manipulation of client header information.

A web server can draw conclusions about whether the browser has already loaded the favicon: so when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-cache, no further requests are sent. By combining the status of delivered and not delivered favicons for specific URL paths to the browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with network requests sent by the client for the missing favicon and thus identify the browser.

	traditional cookies	supercookie
Identification accuracy	,	100%
Incognito/Private Mode Detection
Website remains persistent even after flushing cache and cookies
Identify multiple windows
Working with Anti-Tracking SW

This is what all top browsers look like ( chrome, firefox, safari, Edge) are sensitive to this attack scenario.
Mobile browsers are also affected.

This attack can be scaled almost arbitrarily, by varying the number of bits corresponding to the number of redirects on the subpaths. This can distinguish 2^N unique users, where N is the number of redirects on the client side. As the number of unique clients increases, the time taken for read and write operations increases.

To keep the number of redirects as minimal as possible, N can have a dynamic length. More about it here.

The most straightforward solution is to disable the favicon cache entirely. Until browser vendors provide a feature against this vulnerability, this is probably the best way to clear the F-cache.

• chrome • Mac OS

  • delete ~/Library/Application Support/Google/Chrome/Default/Favicons
  • delete ~/Library/Application Support/Google/Chrome/Default/Favicons-journal

• chrome • windows

  • delete C:\Users\username\AppData\Local\Google\Chrome\User Data\Default

• Safari • Mac OS

  • Delete the contents of ~/Library/Safari/Favicon Cache

• Edge • Mac OS

  • delete ~/Library/Application Support/Microsoft Edge/Default/Favicon
  • delete ~/Library/Application Support/Microsoft Edge/Default/Favicons-journal

I am a twenty year old student from 🇩🇪Germany. I like working in software design and development and have interest in IT security field.

This repository, including setting up the performance portal, was created within two days as part of a personal research project on the topic of “Tracking on the Web”.

Liked the project? Just give it a star ⭐ and spread it around the world!