I have the same, the Youtube icon is the Hacker news icon, and the other way round. I have to assume this is some sort of race condition, data corruption, or something else, and it's quite widespread too given all these reports.
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.
Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.
This is great, I needed more tools for tracking bad users who have been banned and try to ban evade. I have been using Samy Kamkars evercookie which is pretty good but some of the techniques are dated.
At some point we need actual consequences for sites that intentionally hide their tracking. It should be criminal. It is stalking and has real world consequences. Just because an exploit exists doesn't mean it should be used. That logic is like saying it is OK to break into a house because the lock on the door was weak. If we don't get real protections, at what point does it become justified to go offensive against sites that exploit things like this? If I found someone putting trackers on me with the intent to sell that information (harm me) I would defend myself. When am I allowed to do that in the digital world?
Quick side note here. I appreciate the research calling this out. We need to know the dangers out there to figure out how to protect ourselves, especially since governments don't seem to take this seriously.
This is an insightful read. One question I have is, how do you ensure a user visits all of the N routes for the ID to be generate or to be verified on revisits.
33 comments
[ 4.8 ms ] story [ 52.8 ms ] threadI regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit
- The last update was 2 years ago.
- It says that MS Edge 87 is affected. The current Version of Edge is 142.
This is no longer an issue, but it is interesting thinking about how long the NSA knew about this before the general population did.
"Tales of Favicons and Caches: Persistent Tracking in Modern Browsers"
https://news.ycombinator.com/item?id=25868742
53 comments on 22-jan-2021
Definitely something I don't want. Maybe I should just remove the favorites or maybe I can save them as redirects or HTML or something.
Note I use private windows most often & shoutout Little Snitch for driving the discovery.
https://news.ycombinator.com/item?id=26051370
it gave me some ID, but how do I test that some different website can track me resulting in same ID?
or is it only "detect private browsing/container on same browser" kind of stuff?
Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.
(2021) per https://news.ycombinator.com/item?id=45948731
Rename thumbnail to favicon: https://github.com/brave/brave-core/commits/master/patches/c...
Then abandoned in favor of Chromium including favicons in the regular cache https://news.ycombinator.com/item?id=45954466
Quick side note here. I appreciate the research calling this out. We need to know the dangers out there to figure out how to protect ourselves, especially since governments don't seem to take this seriously.
Wondering why users of popular browsers believe favicon is needed
(I'm assuming users asked the authors of those browsers for favicon)