My hacker news icon has been stuck as the icon for a weather site that I sometimes check. It’s been stuck that way for close to a year now, and has survived an iOS update too.
It persists across profiles and into private browsing mode.
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.
Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.
Tried a similar approach but found that putting the browser in a VM has a tendency to expose a few data points that stand out as less trust worthy which means you end up getting a lot of captchas on some websites (like using swiftshader for renderer, not having some fonts installed, among other things), lying about these can typically be detected as well (like injecting noise into a canvas, modifying the advertised renderer). If you've found any solutions to these please share.
There is ad money at stake, and it is unfortunately one of the key revenue models in the modern web. I don't know if this particular research was sponsored by ad-tech or if it's preventive, but it shouldn't be generally surprising that this kind of things are heavily researched.
It depends on how the browser rejects favicons? If the browser reports the icon is already cached, I agree (assuming the reports are indistinguishable). But maybe it just never downloads the icon, for example.
This is great, I needed more tools for tracking bad users who have been banned and try to ban evade. I have been using Samy Kamkars evercookie which is pretty good but some of the techniques are dated.
I was sure this has been a thing for a while, either that or safari has a UI bug since forever.
I regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit
My hacker news icon has been stuck as the icon for a weather site that I sometimes check. It’s been stuck that way for close to a year now, and has survived an iOS update too.
It persists across profiles and into private browsing mode.
To me HN has been stuck as Facebooks icon for a really long time.
Could site icons be connected somehow to iCloud?
set your clock forward a few years and restart your phone. it should fix it.
Safari has super long lived favicon caches too. The only way to force a rebuild is to set your system clock forward a few years.
I thought I was the only one! Something in the UI cache is so horribly corrupted and it has been for years on my MacBook, I just gave up hope.
I get the wrong for HN in mobile Chrome
I get the same bug in Firefox as well sometimes.
Previous comments (2021)
https://news.ycombinator.com/item?id=26051370
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
This was fixed after we reported it a few years ago while working on the paper.
Android/Firefox it showed me my unique ID after the first 18. Then there was a button to try again ans that put me in the same loop you're having.
Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.
FireFox for Android private browsing mode gets stuck in the loop 100% for me
Needs a (2023) addition in the title
make it 2021 actually. After these years, was this fixed?
It was fixed for me on Chrome.
Reminds me I noticed macOS Safari pulling in the favicons somewhat frequently when I load the new tab page with favorites on it.
Definitely something I don't want. Maybe I should just remove the favorites or maybe I can save them as redirects or HTML or something.
Note I use private windows most often & shoutout Little Snitch for driving the discovery.
Related discussion?
"Tales of Favicons and Caches: Persistent Tracking in Modern Browsers"
https://news.ycombinator.com/item?id=25868742
53 comments on 22-jan-2021
I just got a refresh per second and a counter from 1/18 to 18/18 and repeat. Feels like I wasted 20s.
(2023) per readme.md date
(2021) per https://news.ycombinator.com/item?id=45948731
It's a shame that the actual attack mechanism doesn't seem to be detailed on the github repo, and the link to the article is dead.
Paper author here, here’s a valid link: https://www.cs.uic.edu/~polakis/papers/favicon.pdf
https://supercookie.me/workwise
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.
Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.
Tried a similar approach but found that putting the browser in a VM has a tendency to expose a few data points that stand out as less trust worthy which means you end up getting a lot of captchas on some websites (like using swiftshader for renderer, not having some fonts installed, among other things), lying about these can typically be detected as well (like injecting noise into a canvas, modifying the advertised renderer). If you've found any solutions to these please share.
What approach did you end up going with instead?
This sounds interesting, do you have this written up anywhere?
I sadly do not atm beyond some notes but I can if there is interest.
I have never liked how Safari always tries to reload favicons. Seems like an obvious and annoying privacy leak.
I got different IDs in regular browsing vs incognito mode in Firefox.
Seems like Firefox made changes to address this kind of tracking in version 85.
Do you happen to know where the bug report is?
I got different IDs in regular browsing vs my first incognito window vs my second incognito window.
The demo didn't work for me. Safari latest ios
I don't understand the live demo
it gave me some ID, but how do I test that some different website can track me resulting in same ID?
or is it only "detect private browsing/container on same browser" kind of stuff?
It could track you between site visits, at a minimum.
Probably not a popular opinion here but i'm honestly impressed that someone made this work?
There is ad money at stake, and it is unfortunately one of the key revenue models in the modern web. I don't know if this particular research was sponsored by ad-tech or if it's preventive, but it shouldn't be generally surprising that this kind of things are heavily researched.
Does it work if you disable favicons? (I disabled favicons when I set up the computer, but for a different reason; it is a feature that I don't use.)
If websites can detect that you've disabled favicons, then you are easy to track between all websites because you are very unusual.
I don't think that's true. You'll just look like someone who already has it cached.
It depends on how the browser rejects favicons? If the browser reports the icon is already cached, I agree (assuming the reports are indistinguishable). But maybe it just never downloads the icon, for example.
This is great, I needed more tools for tracking bad users who have been banned and try to ban evade. I have been using Samy Kamkars evercookie which is pretty good but some of the techniques are dated.
did anyone ever make use of this in practice? 32 redirects to construct a unique id seems very impractical
Ad networks don’t care. It’s a data leak. Even a few extra bits can be valuable to tag you with a better uid.
Can’t wait for this to be abused and linked to your digital ID through the wallet app!