What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.
Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.
This is great, I needed more tools for tracking bad users who have been banned and try to ban evade. I have been using Samy Kamkars evercookie which is pretty good but some of the techniques are dated.
There is ad money at stake, and it is unfortunately one of the key revenue models in the modern web. I don't know if this particular research was sponsored by ad-tech or if it's preventive, but it shouldn't be generally surprising that this kind of things are heavily researched.
I was sure this has been a thing for a while, either that or safari has a UI bug since forever.
I regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit
I thought I was the only one! Something in the UI cache is so horribly corrupted and it has been for years on my MacBook, I just gave up hope.
I get the same bug in Firefox as well sometimes.
(2023) per readme.md date
(2021) per https://news.ycombinator.com/item?id=45948731
Previous comments (2021)
https://news.ycombinator.com/item?id=26051370
Needs a (2023) addition in the title
make it 2021 actually. After these years, was this fixed?
It was fixed for me on Chrome.
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
This was fixed after we reported it a few years ago while working on the paper.
Android/Firefox it showed me my unique ID after the first 18. Then there was a button to try again ans that put me in the same loop you're having.
Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.
FireFox for Android private browsing mode gets stuck in the loop 100% for me
I just got a refresh per second and a counter from 1/18 to 18/18 and repeat. Feels like I wasted 20s.
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.
Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.
This sounds interesting, do you have this written up anywhere?
Related discussion?
"Tales of Favicons and Caches: Persistent Tracking in Modern Browsers"
https://news.ycombinator.com/item?id=25868742
53 comments on 22-jan-2021
I have never liked how Safari always tries to reload favicons. Seems like an obvious and annoying privacy leak.
This is great, I needed more tools for tracking bad users who have been banned and try to ban evade. I have been using Samy Kamkars evercookie which is pretty good but some of the techniques are dated.
Reminds me I noticed macOS Safari pulling in the favicons somewhat frequently when I load the new tab page with favorites on it.
Definitely something I don't want. Maybe I should just remove the favorites or maybe I can save them as redirects or HTML or something.
Note I use private windows most often & shoutout Little Snitch for driving the discovery.
It's a shame that the actual attack mechanism doesn't seem to be detailed on the github repo, and the link to the article is dead.
Paper author here, here’s a valid link: https://www.cs.uic.edu/~polakis/papers/favicon.pdf
https://supercookie.me/workwise
I don't understand the live demo
it gave me some ID, but how do I test that some different website can track me resulting in same ID?
or is it only "detect private browsing/container on same browser" kind of stuff?
It could track you between site visits, at a minimum.
The demo didn't work for me. Safari latest ios
Probably not a popular opinion here but i'm honestly impressed that someone made this work?
There is ad money at stake, and it is unfortunately one of the key revenue models in the modern web. I don't know if this particular research was sponsored by ad-tech or if it's preventive, but it shouldn't be generally surprising that this kind of things are heavily researched.
I got different IDs in regular browsing vs incognito mode in Firefox.
Seems like Firefox made changes to address this kind of tracking in version 85.
Do you happen to know where the bug report is?
I got different IDs in regular browsing vs my first incognito window vs my second incognito window.
Does it work if you disable favicons? (I disabled favicons when I set up the computer, but for a different reason; it is a feature that I don't use.)
If websites can detect that you've disabled favicons, then you are easy to track between all websites because you are very unusual.