[HN Gopher] Tracking users with favicons, even in incognito mode
___________________________________________________________________
Tracking users with favicons, even in incognito mode
Author : vxvrs
Score : 126 points
Date : 2025-11-16 19:39 UTC (3 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| breppp wrote:
| I was sure this has been a thing for a while, either that or
| safari has a UI bug since forever.
|
| I regularly get the wrong favicon in specific sites, for example
| ars technica favicon in reddit
| robotnikman wrote:
| I get the same bug in Firefox as well sometimes.
| goodells wrote:
| I thought I was the only one! Something in the UI cache is so
| horribly corrupted and it has been for years on my MacBook, I
| just gave up hope.
| gitmagic wrote:
| What is the live demo supposed to do? I just get stuck in an
| endless redirect loop with a counter going from 1 to 18 and then
| restarting. I'm using Safari on iOS.
| dizhn wrote:
| Android/Firefox it showed me my unique ID after the first 18.
| Then there was a button to try again ans that put me in the
| same loop you're having.
| int0x29 wrote:
| FireFox for Android private browsing mode gets stuck in the
| loop 100% for me
| QuantumNomad_ wrote:
| Safari on iOS. It goes to 18/18 and then starts over from
| 1/18 again for me too. I had not pressed any retry button,
| this happened the first time I visited the page. And I wasn't
| even in private browsing mode. Just navigated to it normally.
| waitwhatwhoa wrote:
| This was fixed after we reported it a few years ago while
| working on the paper.
| zzo38computer wrote:
| Does it work if you disable favicons? (I disabled favicons when I
| set up the computer, but for a different reason; it is a feature
| that I don't use.)
| soulofmischief wrote:
| I got different IDs in regular browsing vs incognito mode in
| Firefox.
| bravoetch wrote:
| Seems like Firefox made changes to address this kind of
| tracking in version 85.
| denismi wrote:
| I got different IDs in regular browsing vs my first incognito
| window vs my second incognito window.
| vanschelven wrote:
| It's a shame that the actual attack mechanism doesn't seem to be
| detailed on the github repo, and the link to the article is dead.
| waitwhatwhoa wrote:
| Paper author here, here's a valid link:
| https://www.cs.uic.edu/~polakis/papers/favicon.pdf
| majkinetor wrote:
| https://supercookie.me/workwise
| sjdonado wrote:
| The demo didn't work for me. Safari latest ios
| HelloUsername wrote:
| Related discussion?
|
| "Tales of Favicons and Caches: Persistent Tracking in Modern
| Browsers"
|
| https://news.ycombinator.com/item?id=25868742
|
| 53 comments on 22-jan-2021
| Strongbad536 wrote:
| Probably not a popular opinion here but i'm honestly impressed
| that someone made this work?
| alentred wrote:
| There is ad money at stake, and it is unfortunately one of the
| key revenue models in the modern web. I don't know if this
| particular research was sponsored by ad-tech or if it's
| preventive, but it shouldn't be generally surprising that this
| kind of things are heavily researched.
| martin_a wrote:
| Needs a (2023) addition in the title
| iammjm wrote:
| make it 2021 actually. After these years, was this fixed?
| abirch wrote:
| It was fixed for me on Chrome.
| Barbing wrote:
| Reminds me I noticed macOS Safari pulling in the favicons
| somewhat frequently when I load the new tab page with favorites
| on it.
|
| Definitely something I don't want. Maybe I should just remove the
| favorites or maybe I can save them as redirects or HTML or
| something.
|
| Note I use private windows most often & shoutout Little Snitch
| for driving the discovery.
| nrhrjrjrjtntbt wrote:
| Previous comments (2021)
|
| https://news.ycombinator.com/item?id=26051370
| NooneAtAll3 wrote:
| I don't understand the live demo
|
| it gave me some ID, but how do I test that some different website
| can track me resulting in same ID?
|
| or is it only "detect private browsing/container on same browser"
| kind of stuff?
| xandrius wrote:
| I just got a refresh per second and a counter from 1/18 to 18/18
| and repeat. Feels like I wasted 20s.
| scrps wrote:
| Nonpersistent vm-based browser, I use qemu + cage + firefox and
| some glue logic to fire up a copy of a base image which gets
| deleted on exit. Fires up slower than a native firefox instance
| but runs all the same.
|
| Can containerize for the less paranoid and less work but browsers
| touching host kernel gives me the ick as does the idea of trying
| to write ebpf policies for firefox to mitigate. Browsers are
| pain.
| captainkrtek wrote:
| This sounds interesting, do you have this written up anywhere?
| musicale wrote:
| I have never liked how Safari always tries to reload favicons.
| Seems like an obvious and annoying privacy leak.
___________________________________________________________________
(page generated 2025-11-16 23:00 UTC)