supercookie: ⚠️ Browser fingerprinting via favicon

pull down to refresh

supercookie: ⚠️ Browser fingerprinting via favicon - jonasstrehle github.com/jonasstrehle/supercookie/

168 sats \ 5 comments \ @Scoresby 4h devs

Is this as bad as it sounds?

Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN or installing AdBlockers. 🍿 Live demo.

view all related items

152 sats \ 3 replies \ @k00b 3h

The attack requires floor(log2(id))+1 redirects where id is a numerical identifier.

They have a chart here which expresses the feasibility in terms of how many seconds it takes to perform the redirects required for generating ids in ranges of a certain size.

If someone were to use this attack at scale, they would probably pair it with some other kind of browser fingerprinting, because this is basically another, expensive but precise, method of fingerprinting.

If your browser redirects you more than a few times when you visit a website, I don't know what would make you stay/return.

50 sats \ 2 replies \ @WeAreAllSatoshi 1h

Don’t browsers stop redirecting after a certain number? I think there’s literally an error code in chromium for too many redirects

50 sats \ 1 reply \ @k00b 1h

Their demo manages to do 36 of them. Perhaps the limit only applies to server side redirects

0 sats \ 0 replies \ @WeAreAllSatoshi 1h

Oh yea, probably so.

0 sats \ 0 replies \ @SimpleStacker 55m

It's cute but doesn't seem very practical. It also only lets them identify that a browser visited their site previously. I don't think it lets them track any of your internet activity outside that website even if they've identified your browser