Tiny favicons can be utilised to track users' movements online

Favicons can store a unique ID which is not easily cleared by a user and which can bypass VPNs and other privacy tools

A website's favicon could be used as 'supercookie' to covertly track the movement of users across the internet.

That's according to German software designer Jonas Strehle, who recently published a proof of concept on GitHub, demonstrating a method that uses a favicon's cache to store a unique identifier for a user.

A favicon is the little icon displayed in browser tabs as the logo image of a website. Most browsers usually display favicons in the address bar and also next to the webpage's name in a list of bookmarks.

Strehle says he started working on the project after reading a research paper [pdf] from the University of Illinois at Chicago. In that study, researchers found that favicons could be used as a supercookie, a type of tracking cookie inserted into an HTTP header to collect data about a user's internet browsing history and habits - in most modern browsers.

Favicons are cached in a separate local database, called the favicon cache (F-Cache), which ensures that the tiny icons are easily accessible to a browser.

When a user visits a website for the first time, the web favicon is cached in the browser. When the user revisits the site, the browser checks F-Cache to see whether the favicon for the site is stored there. If the favicon is found in F-Cache, it is displayed in the address bar. However, if the browser finds that the favicon data is missing or is out of date, a GET request is made to the website's server to load the site's favicon.

Strehle says a favicon request allows a web server to collect some information about the visitor and assign a unique pattern (identification number) to them.

"When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser."

According to Strehle, the biggest worry about the favicons is that they can bypass VPNs, privacy plugins and incognito mode security to allow websites to track users' movements.

"It looks like all top browsers (Chrome, Firefox, Safari, Edge) are vulnerable to this attack scenario," Strehle says. "Mobile browsers are also affected".

"Unlike traditional tracking methods, [the user's unique ID] can be stored almost persistently and cannot be easily cleared by the user."

In a similar finding last year, researchers from cyber security firm Malwarebytes claimed that hackers were using fake icons on various websites in efforts to steal payment card details from compromised e-commerce websites.

The researchers said they had noticed several compromised Magento websites loading a data skimmer instead of the legitimate website favicon (the logo image of the website shown in browser tabs) on their payment checkout pages.

As part of the new campaign, the attackers set up a fake image hosting, which claimed to offer thousands of icons and images for users to download, but its real aim was to serve as a platform for web skimming operations.

Apart from stealing buyers' credit card data, the hackers also collected their personal information, including their names, address, email and phone numbers, the researchers said.