New in-browser trackers can track your activities even when you’re connected to a VPN and enabled incognito mode
The fact that a user’s activities can be tracked by the sites they visit has given rise to privacy browsers and extensions such as Privacy Badger. Users also enable incognito mode while browsing the Internet and delete cookies regularly. However, all these precautions are useless against the new kind of trackers.
These trackers use favicons, tiny icons that appear with the site in the browser tab and in the bookmark list. Researchers at the University of Illinois at Chicago said in a new paper that most browsers cache these images in a folder separate from browsing history and cookie data. Sites can abuse this fact by downloading a series of favicons to the user’s browser that will keep track of their activity over a long period of time.
"Powerful Tracking Vector"
“While favicons have for many years been considered merely decorative additions to a site’s name, as the browser displays them to the user to better remember a company’s brand, the study proves that they represent a ‘ powerful tracking vector ‘. This type of tracking hides a significant threat to the user’s privacy," say researchers from Chicago. Moreover, according to them:
“With favicons, tracking can be easily implemented by any website without the need for any user interaction or consent. The tracker will collect information about a person’s activities even when using popular anti-tracking extensions. Moreover, the way modern browsers use caching makes such an attack on user data especially dangerous, since favicons are displayed (and cached) even when browsing in incognito mode. This is due to the application of incorrect privacy practices in all major browsers.”
Your activities can be easily tracked if you use Chrome, Safari and Edge. It is worth noting that the developers of Brave have already created effective countermeasures for this type of surveillance. They were only able to do so after receiving a private report from researchers at the University of Chicago. Firefox is not susceptible to this type of attack because it has a number of favicon caching bugs.
Browsers store favicons in a cache so they don’t have to request them from a website every time. This cache is not deleted when users clear their browser’s cache or cookies. It is actively used, even if you switch to private browsing mode. A website saves a certain combination of favicons when a person first opens the pages of a resource. By checking for these images in the cache, a website can identify a particular user’s browser when they revisit the resource. Even if a person uses active measures to prevent tracking, they will still be recognized.
Tracking in browsers has been a problem since the advent of the Internet. As users have learned to easily delete cookies, websites have come up with new ways to identify their visitors.
One such tracking method is known as fingerprinting (or fingerprinting ). This is a process during which information is collected about the screen resolution, the list of available fonts, the software version, and other properties of the user’s computer. Thus, based on the collected data, a profile is created that is assigned to a specific machine. A 2013 study found that 1.5% of the world’s most popular websites use this tracking method. Device fingerprinting is effective even when people use multiple browsers. As a countermeasure, some browsers have attempted to limit this tracking, but often without success.
Enough and two seconds
Websites can use this method by redirecting users through a number of subdomains (each with their own favicon) before they land on the requested page. The number of redirects required varies depending on the number of unique site visitors. To be able to track 4.5 billion unique browsers, a website would need to redirect the user 32 times. Each such redirect takes 1 bit of entropy. This adds about 2 seconds to the total load time for the page the user wants. Websites can reduce this delay with special settings .
The article explains it as follows:
Taking into account the properties of modern browsers, we see a new mechanism for constantly tracking user activity, which allows websites to identify a person during a repeated visit to a resource, even if he uses incognito mode or has previously cleared the cache. In particular, websites can create and store a unique browser ID through a combination of cached favicon entries. Moreover, this tracking can be done by any website. It only needs to redirect the user appropriately through a series of subdomains. These subdomains have different favicons and thus create their own favicon cache entries. A set of n-subdomains can be used to create an n-bit identifier that is unique for each browser. Since the attacker has complete control over the website, he can redirect the user through hundreds of subdomains without any interaction with him. In fact, the presence of a favicon in the subdomain cache corresponds to a value of 1 in the identifier bit, and its absence will give a value of 0.
Researchers who have looked into this issue: Konstantinos Solomos, John Kristoff, Chris Kanich, and Jason Polakis. They all work at the University of Illinois, Chicago.
A Google spokesperson said the company is already aware of this type of tracking and is working on countermeasures. Meanwhile, an Apple spokesman claims that the company is only studying the results obtained in the study. The Chicago researchers have also contacted Microsoft and Brave, who are yet to comment.
As noted earlier, Brave can block this kind of tracking.
According to arsTechnica.
Cover image: Ricardo Santos