supercookie: ⚠️ Browser fingerprinting via favicon

pull down to refresh

supercookie: ⚠️ Browser fingerprinting via favicon - jonasstrehle github.com/jonasstrehle/supercookie/

438 sats \ 12 comments \ @Scoresby 21h devs

Is this as bad as it sounds?

Supercookie uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the operating system, using a VPN or installing AdBlockers. 🍿 Live demo.

view all related items

173 sats \ 3 replies \ @k00b 20h

The attack requires floor(log2(id))+1 redirects where id is a numerical identifier.

They have a chart here which expresses the feasibility in terms of how many seconds it takes to perform the redirects required for generating ids in ranges of a certain size.

If someone were to use this attack at scale, they would probably pair it with some other kind of browser fingerprinting, because this is basically another, expensive but precise, method of fingerprinting.

If your browser redirects you more than a few times when you visit a website, I don't know what would make you stay/return.

50 sats \ 2 replies \ @WeAreAllSatoshi 18h

Don’t browsers stop redirecting after a certain number? I think there’s literally an error code in chromium for too many redirects

50 sats \ 1 reply \ @k00b 18h

Their demo manages to do 36 of them. Perhaps the limit only applies to server side redirects

0 sats \ 0 replies \ @WeAreAllSatoshi 18h

Oh yea, probably so.

123 sats \ 5 replies \ @optimism 8h

This repo was created 4 years ago. Questions:

Why does it pop up now?
What makes us think that this has been ignored by privacy focused implementations like Brave or Safari in Lockdown Mode?

100 sats \ 4 replies \ @Scoresby OP 7h

Good point about the age of the repo. I found out about it because Alex Lewin mentioned it. I'm not sure what brought it across his radar.

Seems like consensus here is that it requires so many redirects that it's not particularly practical.

102 sats \ 3 replies \ @optimism 7h

Alex Lewin

Is that a browser security researcher?

Seems like consensus here is that it requires so many redirects that it's not particularly practical.

To me it's more that this is easy to fix within a few days, let alone 4 years. I can go test it out though... but I fear I'd waste my time.

100 sats \ 2 replies \ @Scoresby OP 7h

It's probably a waste of time.

Alex Lewin is a lightning developer, who I believe works on fedi.

102 sats \ 1 reply \ @optimism 7h

Alright. I'll try it out at some point, just so we know whether they should be listened to.

0 sats \ 0 replies \ @Scoresby OP 6h

I believe he came to a similar conclusion as others here (just after I posted it here):

source

102 sats \ 0 replies \ @adlai 15h

fonts are worse

0 sats \ 0 replies \ @SimpleStacker 18h

It's cute but doesn't seem very practical. It also only lets them identify that a browser visited their site previously. I don't think it lets them track any of your internet activity outside that website even if they've identified your browser