viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
New browser-tracking hack works even when you flush caches or go incognito
Technology

New browser-tracking hack works even when you flush caches or go incognito

19/02/2021

New browser-tracking hack works even when you flush caches or go incognito

Getty Images

The prospect of Web users being tracked by the sites they visit has prompted several countermeasures over the years, including using Privacy Badger or an alternate anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now, websites have a new way to defeat all three.

The technique leverages the use of favicons, the tiny icons that websites display in users’ browser tabs and bookmark lists. Researchers from the University of Illinois, Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies. Websites can abuse this arrangement by loading a series of favicons on visitors’ browsers that uniquely identify them over an extended period of time.

Powerful tracking vector

“Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding, our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users,” the researchers wrote. They continued:

The attack workflow can be easily implemented by any website, without the need for user interaction or consent, and works even when popular anti-tracking extensions are deployed. To make matters worse, the idiosyncratic caching behavior of modern browsers, lends a particularly egregious property to our attack as resources in the favicon cache are used even when browsing in incognito mode due to improper isolation practices in all major browsers.

The attack works against Chrome, Safari, Edge, and until recently Brave, which developed an effective countermeasure after receiving a private report from the researchers. Firefox would also be susceptible to the technique, but a bug prevents the attack from working at the moment.

Advertisement

Favicons provide users with a small icon that can be unique for each domain or subdomain on the Internet. Websites use them to help users more easily identify the pages that are currently open in browser tabs or are stored in lists of bookmarks.

Browsers save the icons in a cache so they don’t have to request them over and over. This cache isn’t emptied when users clear their browser cache or cookies, or when they switch to a private browsing mode. A website can exploit this behavior by storing a specific combination of favicons when users first visit it, and then checking for those images when users revisit the site, thus allowing the website to identify the browser even when users have taken active measures to prevent tracking.

Browser tracking has been a concern since the advent of the World Wide Web in the 1990s. Once it became easy for users to clear browser cookies, websites devised other ways to identify visitors’ browsers.

One of those methods is known as device fingerprinting, a process that collects the screen size, list of available fonts, software versions, and other properties of the visitor’s computer to create a profile that is often unique to that machine. A 2013 study found that 1.5 percent of the world’s most popular sites employed the technique. Device fingerprinting can work even when people use multiple browsers. In response, some browsers have attempted to curb the tracking by blocking fingerprinting scripts.

Two seconds is all it takes

Websites can exploit the new favicon side channel by sending visitors through a series of subdomains—each with its own favicon—before delivering them to the page they requested. The number of redirections required varies depending on the number of unique visitors a site has. To be able to track 4.5 billion unique browsers, a website would need 32 redirections, since each redirection translates to 1 bit of entropy. That would add about 2 seconds to the time it takes for the final page to load. With tweaks, websites can reduce the delay.

Advertisement

The paper explains it this way:

By leveraging all these properties, we demonstrate a novel persistent tracking mechanism that allows websites to reidentify users across visits even if they are in incognito mode or have cleared client-side browser data. Specifically, websites can create and store a unique browser identifier through a unique combination of entries in the favicon cache. To be more precise, this tracking can be easily performed by any website by redirecting the user accordingly through a series of subdomains. These subdomains serve different favicons and, thus, create their own entries in the Favicon-Cache. Accordingly, a set of N-subdomains can be used to create an N-bit identifier, that is unique for each browser. Since the attacker controls the website, they can force the browser to visit subdomains without any user interaction. In essence, the presence of the favicon for subdomain in the cache corresponds to a value of 1 for the i-th bit of the identifier, while the absence denotes a value of 0.

The researchers behind the findings are: Konstantinos Solomos, John Kristoff, Chris Kanich, and Jason Polakis, all of the University of Illinois, Chicago. They will be presenting their research next week at the NDSS Symposium.

A Google spokesman said the company is aware of the research and is working on a fix. An Apple representative, meanwhile, said the company is looking into the findings. Ars also contacted Microsoft and Brave, and neither had an immediate comment for this post. As noted above, the researchers said Brave has introduced a countermeasure that prevents the technique from being effective, and other browser makers said they were working on fixes.

Until fixes are available, people who want to protect themselves should investigate the effectiveness of disabling the use of favicons. Searches here, here, and here list steps for Chrome, Safari, and Edge respectively.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Fast & Furious: Crossroads lives video games a quarter-mile at a time
TechCrunch ist Teil von Verizon Media. Klicken Sie auf ‘Ich …

How do we connect a child to technology?

Intel’s Mobileye demos autonomous car that navigates using cameras alone
Habana Labs. Mobileye. Hailo. Wix. There are more than 1,150 …

Israel risks falling behind in AI despite growth

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • Beat Saber is now an Oculus studio after Facebook acquisition
    Facebook commits to paying ‘contingent’ workers affected …
    08/03/2020
  • Wormable code-execution flaw in Jabber has a severity rating of 9.9 out of 10
    Wormable code-execution flaw in Jabber has a …
    11/12/2020
  • TradeTrust: Singapore and 16 companies back Perlin blockchain for global trade platform
    TradeTrust: Singapore and 16 companies back Perlin …
    22/01/2020
  • Untitled Goose Game is getting a free co-op update
    Untitled Goose Game is getting a free …
    19/08/2020
  • Arby’s will have Sonic kids meal toys
    Arby’s will have Sonic kids meal toys
    22/11/2019

Popular Posts

  • Comcast hides upload speeds deep inside its infuriating ordering system
    Comcast hides upload speeds deep inside its …
    03/03/2021 0
  • Top 10 Behind The Scenes Tales About …
    02/02/2021 0
  • 10 Outrageous Feasts From History – Listverse
    02/02/2021 0
  • Jeff Bezos to leave Amazon CEO post after 27 years, become executive chair
    Jeff Bezos to leave Amazon CEO post …
    02/02/2021 0
  • Comcast overcharged elderly couple $600, denied refund until contacted by Ars
    Comcast lifts uploads to 5Mbps amid complaints …
    03/02/2021 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2021 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh