Supercookie: Browser Fingerprinting via Favicon (2021)

Original Article ↗ Hacker News Discussion ↗

Favicon behavior and bugs across browsers

  • Many commenters report long‑standing favicon glitches: wrong icons shown for specific sites, icons “stuck” for months or years, persisting across profiles, private mode, OS updates, and possibly iCloud sync.
  • Bugs appear across Safari, Firefox, Chrome, iOS Safari, and other WebKit-based browsers, suggesting deep or shared caching issues.
  • Safari’s favicon cache is described as extremely persistent; some mention only extreme measures (e.g., deleting cache files or changing system time) fully resetting it.

Live demo and whether the attack still works

  • Several users can’t get the demo working (infinite 1–18 redirect loops, especially on iOS Safari and Firefox private mode). Others report seeing a unique ID after the first cycle.
  • Some note the GitHub repo is old (Edge 87 mentioned) and conclude the specific exploit is largely patched; a linked issue states major browsers fixed this years ago.
  • However, another link suggests Chrome briefly patched and then regressed, with a more recent note that favicon tracking should now reset on cache deletion and incognito entry.

Effectiveness, limitations, and mitigations

  • Users observe different IDs between normal and private windows, and even between separate incognito sessions, implying at least some mitigation in Firefox and elsewhere.
  • Deleting cookies and site data in Firefox is reported to remove the identifier.
  • One commenter questions practicality: 32 redirects to construct an ID seems heavy; others reply that ad networks value any extra bits of identity, even if costly.
  • Disabling favicons is discussed: some argue that being “favicon-less” could itself be a distinctive fingerprint; others say it would just look like a fully cached state, depending on implementation (details remain unclear).

Favicons vs usability and privacy

  • Some users happily run favicon‑free browsers and question why they’re needed.
  • Others defend favicons as essential for tab‑heavy workflows, where icons are easier to scan than truncated titles.

Ethics, regulation, and business models

  • Strong criticism of hidden tracking: some want it criminalized, likening it to stalking or malware.
  • Debate over GDPR: some say it already covers such tracking; others highlight weak enforcement or “legitimate interest” loopholes.
  • One long subthread argues:
    • Tracking within a single site to improve services is acceptable; reselling data and third‑party brokers are the core problem.
    • GDPR and similar rules may inadvertently entrench large incumbents and hurt small, data‑driven businesses.
    • Opponents push back, emphasizing user consent, the difficulty of opting out when most sites require JS, and the need for regulation because users can’t realistically audit code.

Hardened browsing setups and practical issues

  • Some describe extreme isolation: running browsers in disposable VMs with qemu and sandboxing, deleting state on exit.
  • Others note that such setups can themselves become fingerprints (e.g., odd GPU/rendering behavior, missing fonts), triggering CAPTCHAs and suspicion.

Broader tracking landscape and related techniques

  • Commenters expect similar attacks on other long‑lived browser artifacts and caches.
  • A GPU-based fingerprinting technique (“DrawnApart”) using WebGL timing is mentioned as another example of increasingly sophisticated tracking.

Reception of the research

  • Several find the favicon “supercookie” technically clever or “lovely” as an attack vector.
  • Others are more interested in using it (or similar tools) for non-ad-tech purposes like detecting banned users who try to evade bans.