Stunning news, favicon icons are now being used in the role of supercookies. Now you can not hide from them with standard methods. Just the other day, a German software developer Jonas Strehle made a publication in his account, GitHub, in which he described the method of using the icon favicon sites in the role of supercookies. In this method, the most distinguishing feature of this kind of cookies is the immunity to VPN, incognito mode and others.

Who are these supercookies and favicon's?

A supercookie is a type of tracking cookie that is inserted into an HTTP header by an Internet Service Provider (ISP) to collect data about a user's browsing history and habits.

A Favicon icon is an icon of a website or web page in a tab in front of the page name, and is also presented as a picture next to a bookmark, in tabs, and in other interface elements.

How does this clever method of the German Strehle actually work?

Using such icons, any website user is assigned a unique identifier that is very difficult for a user to erase on their own. German Strehle explains a possible threat model that allows a unique identifier to be assigned to each browser in order to infer a user and be able to identify that user even when security measures such as using a VPN, deleting cookies, deleting browser cache, or manipulating client header information are applied.

The web server sends a request to see if the browser has already loaded the icon or not: so when the browser requests a web page, if the icon is not in the local F-cache, another request is made for the icon. If the icon already exists in the F-Cache, no further request is sent. By combining the status of delivered and undelivered icons for specific URLs for the browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can retrieve the identification number using the network requests sent by the client for the missing icons, and thus identify the user's browser.

Namely, data about the user, where the user was and what he was doing is saved, and this is already a full-fledged additional tool for tracking him with Favicon.