33 comments

[ 4.8 ms ] story [ 52.8 ms ] thread
I was sure this has been a thing for a while, either that or safari has a UI bug since forever.

I regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit

I have the same, the Youtube icon is the Hacker news icon, and the other way round. I have to assume this is some sort of race condition, data corruption, or something else, and it's quite widespread too given all these reports.
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
Look at the Github repo:

- The last update was 2 years ago.

- It says that MS Edge 87 is affected. The current Version of Edge is 142.

This is no longer an issue, but it is interesting thinking about how long the NSA knew about this before the general population did.

Does it work if you disable favicons? (I disabled favicons when I set up the computer, but for a different reason; it is a feature that I don't use.)
I got different IDs in regular browsing vs incognito mode in Firefox.
It's a shame that the actual attack mechanism doesn't seem to be detailed on the github repo, and the link to the article is dead.
The demo didn't work for me. Safari latest ios
Probably not a popular opinion here but i'm honestly impressed that someone made this work?
Needs a (2023) addition in the title
Reminds me I noticed macOS Safari pulling in the favicons somewhat frequently when I load the new tab page with favorites on it.

Definitely something I don't want. Maybe I should just remove the favorites or maybe I can save them as redirects or HTML or something.

Note I use private windows most often & shoutout Little Snitch for driving the discovery.

I don't understand the live demo

it gave me some ID, but how do I test that some different website can track me resulting in same ID?

or is it only "detect private browsing/container on same browser" kind of stuff?

I just got a refresh per second and a counter from 1/18 to 18/18 and repeat. Feels like I wasted 20s.
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.

Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.

I have never liked how Safari always tries to reload favicons. Seems like an obvious and annoying privacy leak.
This is great, I needed more tools for tracking bad users who have been banned and try to ban evade. I have been using Samy Kamkars evercookie which is pretty good but some of the techniques are dated.
did anyone ever make use of this in practice? 32 redirects to construct a unique id seems very impractical
Can’t wait for this to be abused and linked to your digital ID through the wallet app!
At some point we need actual consequences for sites that intentionally hide their tracking. It should be criminal. It is stalking and has real world consequences. Just because an exploit exists doesn't mean it should be used. That logic is like saying it is OK to break into a house because the lock on the door was weak. If we don't get real protections, at what point does it become justified to go offensive against sites that exploit things like this? If I found someone putting trackers on me with the intent to sell that information (harm me) I would defend myself. When am I allowed to do that in the digital world?

Quick side note here. I appreciate the research calling this out. We need to know the dangers out there to figure out how to protect ourselves, especially since governments don't seem to take this seriously.

Delete cookies and site data on Firefox works.
I use a browser that does not support favicon

Wondering why users of popular browsers believe favicon is needed

(I'm assuming users asked the authors of those browsers for favicon)

Why doesn't this apply to any kind of cached content?
This is an insightful read. One question I have is, how do you ensure a user visits all of the N routes for the ID to be generate or to be verified on revisits.