Supercookie: Browser Fingerprinting via Favicon (2021)

2025-11-1619:39357100github.com

⚠️ Browser fingerprinting via favicon! Contribute to jonasstrehle/supercookie development by creating an account on GitHub.

Show article

Supercookie uses favicons to assign a unique identifier to website visitors.
Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN or installing AdBlockers. 🍿 Live demo.

This repository is for educational and demonstration purposes only!

The demo of "supercookie" as well as the publication of the source code of this repository is intended to draw attention to the problem of tracking possibilities using favicons.

📕 Full documentation

requirements: Docker daemon

git clone https://github.com/jonasstrehle/supercookie

Update .env file in supercookie/server/.env

HOST_MAIN=yourdomain.com #or localhost:10080
PORT_MAIN=10080 HOST_DEMO=demo.yourdomain.com #or localhost:10081
PORT_DEMO=10081

cd supercookie/server
docker-compose up

-> Webserver will be running at https://yourdomain.com

requirements: Node.js

git clone https://github.com/jonasstrehle/supercookie

Update .env file in supercookie/server/.env

HOST_MAIN=localhost:10080
PORT_MAIN=10080 HOST_DEMO=localhost:10081
PORT_DEMO=10081

cd supercookie/server
node --experimental-json-modules main.js

-> Webserver will be running at http://localhost:10080

Modern browsers offer a wide range of features to improve and simplify the user experience. One of these features are the so-called favicons: A favicon is a small (usually 16×16 or 32×32 pixels) logo used by web browsers to brand a website in a recognizable way. Favicons are usually shown by most browsers in the address bar and next to the page's name in a list of bookmarks.

To serve a favicon on their website, a developer has to include an attribute in the webpage’s header. If this tag does exist, the browser requests the icon from the predefined source and if the server response contains an valid icon file that can be properly rendered this icon is displayed by the browser. In any other case, a blank favicon is shown.

<link rel="icon" href="/favicon.ico" type="image/x-icon">

The favicons must be made very easily accessible by the browser. Therefore, they are cached in a separate local database on the system, called the favicon cache (F-Cache). A F-Cache data entries includes the visited URL (subdomain, domain, route, URL paramter), the favicon ID and the time to live (TTL). While this provides web developers the ability to delineate parts of their website using a wide variety of icons for individual routes and subdomains, it also leads to a possible tracking scenario.

When a user visits a website, the browser checks if a favicon is needed by looking up the source of the shortcut icon link reference of the requested webpage. The browser initialy checks the local F-cache for an entry containing the URL of the active website. If a favicon entry exists, the icon will be loaded from the cache and then displayed. However, if there is no entry, for example because no favicon has ever been loaded under this particular domain, or the data in the cache is out of date, the browser makes a GET request to the server to load the site's favicon.

In the article a possible threat model is explained that allows to assign a unique identifier to each browser in order to draw conclusions about the user and to be able to identify this user even in case of applied anti-fingerprint measures, such as the use of a VPN, deletion of cookies, deletion of the browser cache or manipulation of the client header information.

A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.

	conventional cookies	supercookie
Identification accuracy	-	100%
Incognito / Private mode detection	❌	✅
Persistent after flushed website cache and cookies	❌	✅
Identify multiple windows	❌	✅
Working with Anti-Tracking SW	❌	✅

It looks like all top browsers ( Chrome, Firefox, Safari, Edge) are vulnerable to this attack scenario.
Mobile browsers are also affected.

Browser	Windows	MacOS	Linux	iOS	Android	Info
Chrome (v 111.0)	✅	✅	✅	?	✅	-
Safari (v 14.0)	-	✅	-	✅	-	-
Edge (v 87.0)	✅	✅	❌	❌	✅	-
Firefox (v 86.0)	✅	✅	❌	❌	❌	Fingerprint different in incognito mode
Brave (v 1.19.92)	❌	❌	❌	❔	❌	-

Browser	Windows	MacOS	Linux	iOS	Android	Info
Brave (v 1.14.0)	✅	✅	✅	✅	✅	-
Firefox (< v 84.0)	✅	✅	❔	❌	✅	-

By varying the number of bits that corresponds to the number of redirects to subpaths, this attack can be scaled almost arbitrarily. It can distinguish 2^N unique users, where N is the number of redirects on the client side. The time taken for the read and write operation increases as the number of distinguishable clients does.
In order to keep the number of redirects as minimal as possible, N can have a dynamic length. More about this here.

The most straightforward solution is to disable the favicon cache completely. As long as the browser vendors do not provide a feature against this vulnerability it's probably the best way to clear the F-cache.

Chrome • MacOS
- Delete ~/Library/Application Support/Google/Chrome/Default/Favicons
- Delete ~/Library/Application Support/Google/Chrome/Default/Favicons-journal
Chrome • Windows
- Delete C:\Users\username\AppData\Local\Google\Chrome\User Data\Default
Safari • MacOS
- Delete content of ~/Library/Safari/Favicon Cache
Edge • MacOS
- Delete ~/Library/Application Support/Microsoft Edge/Default/Favicon
- Delete ~/Library/Application Support/Microsoft Edge/Default/Favicons-journal

I am a twenty year old student from 🇩🇪 Germany. I like to work in software design and development and have an interest in the IT security domain.

This repository, including the setup of a demonstration portal, was created within two days as part of a private research project on the topic of "Tracking on the Web".

Liked the project? Just give it a star ⭐ and spread the world!

Read the original article

Comments

By jmward01 2025-11-174:296 reply

At some point we need actual consequences for sites that intentionally hide their tracking. It should be criminal. It is stalking and has real world consequences. Just because an exploit exists doesn't mean it should be used. That logic is like saying it is OK to break into a house because the lock on the door was weak. If we don't get real protections, at what point does it become justified to go offensive against sites that exploit things like this? If I found someone putting trackers on me with the intent to sell that information (harm me) I would defend myself. When am I allowed to do that in the digital world?

Quick side note here. I appreciate the research calling this out. We need to know the dangers out there to figure out how to protect ourselves, especially since governments don't seem to take this seriously.

By bravoetch 2025-11-177:281 reply

I think two things keep the status quo where the end-user is exploited and attacked constantly. The first is the VC / Startup model. Because VC is the true customer, and not the end-user. The second is the current marketing and advertising model. Can it keep working well enough to be worth the money? When it's not, the bottom falls out.

Old business model: solve a problem for your customer, add some value, take home a cut. Current business model: solve investment return for your investors, get the returns by addicting your end-user to something they don't need. Future business model: ?

By halapro 2025-11-179:12

> The first is the VC / Startup model. Because VC is the true customer, and not the end-user.

I don't see how that's related? Anyone looking to increase their revenue looks at tracking. Even I, with my popular open source projects, receive emails to add tracking, let alone business that need money to pay their employees.

By metalman 2025-11-1711:20

I am not concerned with bieng tracked, and assume that large entities on the net have the ability to track and find anything or anybody, ho hum, but my simple personal requirement is not to be then sold to petty merchants and harassed in my own home with adds and fake "personalisations", and offered unasked for "help", so I watch closely, and go to any length to disable adds, or "fingerprinting", "profiling", or whatever. The net is horrible, I need socks, but as I am now sensitised to bieng tracked and followed, I will just get socks at the hardware store, rather then try and track down what were mentioned as perfect travellers socks and other gear, because the mountain of equipment relentlessly devoted to selling me anything from the waist down herafter is impossible to contemplate, and I now only use search for items required for my business, but am often forced to give up, as the vast majority of the web has been co-opted by major retailers. Even though I have never been on social media, have no accounts with any of the retailers, people are telling me that they found me and my business through an LLM, of some flavor, and/or were convinced of my abilities from my "5 star ratings", I am too busy currently to unravel, exactly how the data is put together and then used, but quite clearly, there is no way to use the net(however "lightly"), and not be swollowed up and commodified.

By kgwxd 2025-11-1714:581 reply

The only reason these things work is because we let our browsers silently execute arbitrary code. That logic is more like saying it is OK to enter a house because the owner sent you an invitation, then greeted you at the door and said "GO NUTS!".

By jmward01 2025-11-1720:08

Trust is a powerful multiplier. By that I mean if you have trust in your city as a safe place you generally don't see bars on windows and have more open, inviting and usable spaces. You have more businesses and happier people. Right now the web is like the worst crime ridden city in the world. There is 0 trust and it means we can't have nice things. Society builds trust by being open and allowing but with enforcement when things do happen. We need to bring that to the web. Right now the enforcement either happens before-hand by blocking something or not at all. I want good browser features. I want companies to use them for my benefit but I also want social and legal repercussions when those features are abused. We need to build up both of those in a durable way. When people see offending sites they should avoid them and spread the word that those businesses are bad. When they cross the line then we need enforcement of not just civil, but also criminal penalties. Basically, we need to avoid removing features and instead start evolving society to be able to interact in this environment in a way that we can trust it.

By gus_massa 2025-11-1711:132 reply

Isn't this covered by GDPR?

By timeon 2025-11-1715:19

Unfortunately, future of GDPR is uncertain: https://noyb.eu/en/eu-commission-about-wreck-core-principles...

By weberer 2025-11-1713:361 reply

GDPR has a massive exploit where you can do whatever you want as long as you declare it "legitimate interest".

By dns_snek 2025-11-1714:02

That must've escaped all of the legal teams of all the companies that have been fined. GDPR's biggest problem is its general lack of enforcement. Companies can still get away with just about anything because the overwhelming majority of violations are never investigated.

By dragochat 2025-11-179:122 reply

If you visit my eg. physical clothing store I'm allowed to monitor your in-shop behavior to better optimize my store for your needs. Same for a restaurant etc. That's how _you_ get _much improved services_ and I get _happier customers_.

Ofc I'm not allowed to freaking resell that data. THIS is the problem in online: releseling and data-brokers. Just KILL these categories of businesses off completely and make _them_ criminal (like even give f prison sentences to their operators).

We should get back to our sanity in ONLINE. As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do, and should stop pretending I don't (as a business, ofc - anonymization exists and not any random employee can access any customer's data, probably should never access both data and identity correlated unless they're actively investigating some serious fraud). As long as I'm not sharing this data with anyone else, I should be 100% allowed to use every drop of this data to improve my services to you and totally differentiate myself from the incompetent competition that can't properly do this.

Data privacy (from EU's GDPR to... everything else) only helps big corporations fend-off competition from small startups or boutique shops that could easily out-compete them by offering hyper-personalized hand tailored micro-optimized experiences for their smaller number of customers based on the loads of data they collect from them. In the EU I've only ever seen these kinds of laws severely hamper small boutique or family businesses that wanted to hyperpersonalize to everyone's gain while big corpos easily surf around them with their teams of lawyers.

...we've all been brainwashed by this privacy psyop to sheepishly "fight for our privacy" in ways that are detrimental to us and only help our corporate oligarch overlords maintain an even tighter grip on power, while offering us worse and worse services. Wake the f up, DATA IS MEANT TO BE USED to IMPROVE goods and services, not remain uncollected or sit unused!

By dragochat 2025-11-179:29

+ as a bonus we'd also incentivize businesses to internalize their marketing and related tech operations (since sharing data with 3rd parties would not be allowed), same for AI-customizations etc., forcing them to tech-ify and become more tech-savy businesses instead of externalizing all such things to evil big tech (eg. a clothing store chain could compete not only by producing better clothes, but also by developing better monitoring and generative AI for human-in-the-loop hyperpersonalization, spreading tech out... instead of outsourcing these to tech or big-consulting companies as they do now when the too-little-data they so collect anyhow is otherwise easily share-able to third parties)

By 1718627440 2025-11-1711:211 reply

> As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do

That's fine, but you are not allowed to send me malware, that runs on _my property_ and snoops on _my data_.

Also data doesn't stop being mine, just because you have it. You also can't take photographs of random people and claim this is yours now. That's an important difference between the USA and European countries.

By dragochat 2025-11-1715:001 reply

Well, we'd probably agree on most things... and re the photography example, afaik model release forms work similarly in the EU and US, right?

Now website code does typically run on your device, but I'd say that once you're a paid logged in user you clearly accepted to run it, under the conditions of it staying in its browser sandbox so... if you think it's "malware" then just stop being a customer. Otherwise software has a right to monitor its own operation.

...but yeah, maybe I missed the context a bit, a tracking pixel style tool will likely be used to track not customers but leads, so I do get your point, it gets trickier there and maybe privacy laws have a point there (as long as they stop there... hint: they usually don't!)

By 1718627440 2025-11-1716:24

> under the conditions of it staying in its browser sandbox so

I consider fingerprinting my browser, by running programs and measuring the timings and characteristics of the browser to be a side-channel attack on the browser sandbox.

> Otherwise software has a right to monitor its own operation.

If websites would only "monitor its own operation", we would hardly have any discussion.

> if you think it's "malware" then just stop being a customer.

Easier said than done, when >90% of websites do this. Show me a mainstream corporations website, that work without Javascript. You can hardly pay for a train ticket and make an appointment to government services, without these crap.

Also there must be some rules what software vendors are allowed to do, since the average user can hardly reverse-engineer all the websites they (need to) visit. This is what regulations like GDPR try to enforce.

> and re the photography example, afaik model release forms work similarly in the EU and US, right?

It's not about contracting a model, it's about doing a random photoshot in public. People have the right to their own picture here, irregardless of who takes that picture and who posses it.

By yoavm 2025-11-1711:16

Umm...But it is criminal. The GDPR, at least, doesn't care how you track users - whether through cookies, local storage, favicon or whatever other mechanism you've developed. If you track users you must follow certain rules, and if don't, you will be facing fines if/when you're caught.

By breppp 2025-11-1620:217 reply

I was sure this has been a thing for a while, either that or safari has a UI bug since forever.

I regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit

By snailmailman 2025-11-1623:485 reply

My hacker news icon has been stuck as the icon for a weather site that I sometimes check. It’s been stuck that way for close to a year now, and has survived an iOS update too.

It persists across profiles and into private browsing mode.

By grugagag 2025-11-171:47

To me HN has been stuck as Facebooks icon for a really long time.

By 1718627440 2025-11-1711:251 reply

You guys have favicons? I don't have any in my tabs, but maybe I have turned that of at some point. I'm using Mozilla Firefox.

By dewey 2025-11-1714:321 reply

Firefox and Safari both have favicons in the tabs.

By 1718627440 2025-11-1716:03

Yes, I also have them in general, e.g. on about:newtab, but for HN, there isn't any shown on the tab (there is if I make a bookmark). Maybe I messed something up.

By mycall 2025-11-171:25

Could site icons be connected somehow to iCloud?

By throwup238 2025-11-174:01

For me the iOS HN icon changes between the reddit and github, depending on which one I've been using the most on my phone recently. This happens on both iOS Safari and Kagi's Orion.

I thought that this was just a bug in iOS but based on the comments in this thread, it seems to be common not only across OSes but browser vendors too (I assume iOS Orion uses the same engine as Safari)

By goodells 2025-11-1621:41

I thought I was the only one! Something in the UI cache is so horribly corrupted and it has been for years on my MacBook, I just gave up hope.

By prodigycorp 2025-11-171:171 reply

Safari has super long lived favicon caches too. The only way to force a rebuild is to set your system clock forward a few years.

By garrettgarcia 2025-11-173:323 reply

According to the Github page, you can just run `rm ~/Library/Safari/Favicon Cache/*`

By ftchd 2025-11-174:09

yes, but time travel is cooler

By prodigycorp 2025-11-1714:56

iOS

By supriyo-biswas 2025-11-177:35

I have the same, the Youtube icon is the Hacker news icon, and the other way round. I have to assume this is some sort of race condition, data corruption, or something else, and it's quite widespread too given all these reports.

By croes 2025-11-1623:401 reply

I get the wrong for HN in mobile Chrome

By cubefox 2025-11-1713:19

So a similar favicon bug exists in Safari, Firefox, and Chrome. Impressive!

By robotnikman 2025-11-1620:23

I get the same bug in Firefox as well sometimes.

By gitmagic 2025-11-1620:243 reply

What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.

By waitwhatwhoa 2025-11-1620:59

This was fixed after we reported it a few years ago while working on the paper.

By hekkle 2025-11-175:12

Look at the Github repo:

- The last update was 2 years ago.

- It says that MS Edge 87 is affected. The current Version of Edge is 142.

This is no longer an issue, but it is interesting thinking about how long the NSA knew about this before the general population did.

By dizhn 2025-11-1620:312 reply

Android/Firefox it showed me my unique ID after the first 18. Then there was a button to try again ans that put me in the same loop you're having.

By QuantumNomad_ 2025-11-1621:28

Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.

By int0x29 2025-11-1620:40

FireFox for Android private browsing mode gets stuck in the loop 100% for me