Statement from the NDSS 2021 Program Committee: NDSS is devoted to ethical principles and encourages the research community to ensure its work protects the privacy, security, and safety of users and others involved. While the NDSS 2021 PC appreciated the technical contributions of this paper, it was the subject of a debate in our community regarding the responsible disclosure of vulnerabilities for the Firefox web browser. The PC examined and discussed the ethics concerns raised and the authors’ response. Although no harm came to users, the authors’ oversight could have made a non-vulnerable browser vulnerable to the attack proposed in the paper. The PC does not believe the authors acted in bad faith. Nevertheless, we decided to add this note as well as the authors’ response (in an Appendix) to the paper because the NDSS PC takes both the ethics of responsible disclosure and fairness towards the authors seriously. It is the PC’s view that researchers must not engage in disclosure practices that subject users to an appreciable risk of substantial harm. NDSS will work with other conferences to further improve the transparency of vulnerability disclosure to reduce such errors in the future. Tales of F A V I C O N S and Caches: Persistent Tracking in Modern Browsers Konstantinos Solomos, John Kristoff, Chris Kanich, Jason Polakis University of Illinois at Chicago fksolom6, jkrist3, ckanich, [email protected] Abstract—The privacy threats of online tracking have gar- I. INTRODUCTION nered considerable attention in recent years from researchers and practitioners. This has resulted in users becoming more privacy- Browsers lie at the heart of the web ecosystem, as they cautious and browsers gradually adopting countermeasures to mediate and facilitate users’ access to the Internet. As the mitigate certain forms of cookie-based and cookie-less tracking. Web continues to expand and evolve, online services strive to Nonetheless, the complexity and feature-rich nature of modern offer a richer and smoother user experience; this necessitates browsers often lead to the deployment of seemingly innocuous appropriate support from web browsers, which continuously functionality that can be readily abused by adversaries. In this adopt and deploy new standards, APIs and features [76]. These paper we introduce a novel tracking mechanism that misuses a mechanisms may allow web sites to access a plethora of device simple yet ubiquitous browser feature: favicons. In more detail, and system information [55], [21] that can enable privacy- a website can track users across browsing sessions by storing a invasive practices, e.g., trackers leveraging browser features to tracking identifier as a set of entries in the browser’s dedicated favicon cache, where each entry corresponds to a specific sub- exfiltrate users’ Personally Identifiable Information (PII) [24]. domain. In subsequent user visits the website can reconstruct Naturally, the increasing complexity and expanding set of the identifier by observing which favicons are requested by the features supported by browsers introduce new avenues for browser while the user is automatically and rapidly redirected privacy-invasive or privacy-violating behavior, thus, exposing through a series of subdomains. More importantly, the caching of users to significant risks [53]. favicons in modern browsers exhibits several unique characteris- tics that render this tracking vector particularly powerful, as it is In more detail, while cookie-based tracking (e.g., through persistent (not affected by users clearing their browser data), non- third-party cookies [57]) remains a major issue [29], [9], destructive (reconstructing the identifier in subsequent visits does [69], tracking techniques that do not rely on HTTP cookies not alter the existing combination of cached entries), and even are on the rise [63], [16] and have attracted considerable crosses the isolation of the incognito mode. We experimentally attention from the research community (e.g., novel techniques evaluate several aspects of our attack, and present a series of for device and browser fingerprinting [25], [18], [82], [23], optimization techniques that render our attack practical. We [50]). Researchers have even demonstrated how new browser find that combining our favicon-based tracking technique with security mechanisms can be misused for tracking [78], and the immutable browser-fingerprinting attributes that do not change rise of online tracking [52] has prompted user guidelines and over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds. Furthermore, our attack works in all recommendations from the FTC [20]. major browsers that use a favicon cache, including Chrome and However, cookie-less tracking capabilities do not neces- Safari. Due to the severity of our attack we propose changes to sarily stem from modern or complex browser mechanisms browsers’ favicon caching behavior that can prevent this form (e.g., service workers [43]), but may be enabled by simple or of tracking, and have disclosed our findings to browser vendors overlooked browser functionality. In this paper we present a who are currently exploring appropriate mitigation strategies. novel tracking mechanism that exemplifies this, as we demon- strate how websites can leverage favicons to create persistent tracking identifiers. While favicons have been a part of the Network and Distributed Systems Security (NDSS) Symposium 2021 web for more than two decades and are a fairly simple website 21-25 February 2021, Virtual ISBN 1-891562-66-5 resource, modern browsers exhibit interesting and sometimes https://dx.doi.org/10.14722/ndss.2021.24202 fairly idiosyncratic behavior when caching them. In fact, the www.ndss-symposium.org favicon cache (i) is a dedicated cache that is not part of the browser’s HTTP cache, (ii) is not affected when users clear any website, without the need for user interaction or consent, the browser’s cache/history/data, (iii) is not properly isolated and works even when popular anti-tracking extensions are from private browsing modes (i.e., incognito mode), and (iv) deployed. To make matters worse, the idiosyncratic caching can keep favicons cached for an entire year [26]. behavior of modern browsers, lends a particularly egregious property to our attack as resources in the favicon cache are By leveraging all these properties, we demonstrate a novel used even when browsing in incognito mode due to im- persistent tracking mechanism that allows websites to re- proper isolation practices in all major browsers. Furthermore, identify users across visits even if they are in incognito mode our fingerprint-based optimization technique demonstrates the or have cleared client-side browser data. Specifically, websites threat and practicality of combinatorial approaches that use dif- can create and store a unique browser identifier through a ferent techniques to complement each other, and highlights the unique combination of entries in the favicon cache. To be more need for more holistic explorations of anti-tracking defenses. precise, this tracking can be easily performed by any website Guided by the severity of our findings we have disclosed our by redirecting the user accordingly through a series of subdo- findings to all affected browsers who are currently working on mains. These subdomains serve different favicons and, thus, remediation efforts, while we also propose various defenses create their own entries in the Favicon-Cache. Accordingly, a including a simple-yet-effective countermeasure that can mit- set of N-subdomains can be used to create an N-bit identifier, igate our attack. that is unique for each browser. Since the attacker controls the website, they can force the browser to visit subdomains In summary, our research contributions are: without any user interaction. In essence, the presence of the favicon for subdomaini in the cache corresponds to a value of • We introduce a novel tracking mechanism that allows 1 for the i-th bit of the identifier, while the absence denotes a websites to persistently identify users across browsing value of 0. sessions, even in incognito mode. Subsequently, we demonstrate how immutable browser fingerprints intro- We find that our attack works against all major browsers duce a powerful optimization mechanism that can be used that use a favicon cache, including Chrome, Safari, and the to augment other tracking vectors. more privacy-oriented Brave. We experimentally evaluate our • We conduct an extensive experimental evaluation of our attack methodology using common hosting services and devel- proposed attack and optimization techniques under var- opment frameworks, and measure the impact and performance ious scenarios and demonstrate the practicality of our of several attack characteristics. First, we experiment with the attack. We also explore the effect of popular privacy- size of the browser identifier across different types of devices enhancing browser extensions and find that while they (desktop/mobile) and network connections (high-end/cellular can impact performance they do not prevent our attack. network). While performance depends on the network condi- • Due to the severity of our attack, we have disclosed our tions and the server’s computational power, for a basic server findings to major browsers, setting in motion remediation deployed on Amazon AWS, we find that redirections between efforts to better protect users’ privacy, and also propose subdomains can be done within 110-180 ms. As such, for the caching strategies that