GitHub - jonasstrehle/supercookie: โš ๏ธ Browser fingerprinting via favicon!

supercookie

Languages used

Website Status License

Supercookie uses favicons to assign a unique identifier to website visitors.
Unlike traditional tracking methods, this ID can be stored almost persistently and cannot be easily cleared by the user.

The tracking method works even in the browser's incognito mode and is not cleared by flushing the cache, closing the browser or restarting the system, using a VPN or installing AdBlockers. ๐Ÿฟ Live demo[1].

About

๐Ÿ’ญ Inspiration

๐Ÿชง Purpose

This repository is for educational and demonstration purposes only!

The demo of "supercookie" as well as the publication of the source code of this repository is intended to draw attention to the problem of tracking possibilities using favicons.

๐Ÿ“• Full documentation[2]

Installation

๐Ÿ”ง Docker

requirements: Docker daemon[3]

  1. Clone repository
git clone https://github.com/jonasstrehle/supercookie
  1. Update .env file in supercookie/server/.env[4]
HOST_MAIN=yourdomain.com #or localhost:10080 PORT_MAIN=10080  HOST_DEMO=demo.yourdomain.com #or localhost:10081 PORT_DEMO=10081
  1. Run container
cd supercookie/server docker-compose up

-> Webserver will be running at https://yourdomain.com[5]

Local machine

requirements: Node.js[6]

  1. Clone repository
git clone https://github.com/jonasstrehle/supercookie
  1. Update .env file in supercookie/server/.env[7]
HOST_MAIN=localhost:10080 PORT_MAIN=10080  HOST_DEMO=localhost:10081 PORT_DEMO=10081
  1. Run service
cd supercookie/server node main.js

-> Webserver will be running at http://localhost:10080[8]

๐Ÿ“– Background[9]

Modern browsers offer a wide range of features to improve and simplify the user experience. One of these features are the so-called favicons: A favicon is a small (usually 16ร—16 or 32ร—32 pixels) logo used by web browsers to brand a website in a recognizable way. Favicons are usually shown by most browsers in the address bar and next to the page's name in a list of bookmarks.

To serve a favicon on their website, a developer has to include an attribute in the webpageโ€™s header. If this tag does exist, the browser requests the icon from the predefined source and if the server response contains an valid icon file that can be properly rendered this icon is displayed by the browser. In any other case, a blank favicon is shown.

<link rel="icon" href="/favicon.ico" type="image/x-icon">

The favicons must be made very easily accessible by the browser. Therefore, they are cached in a separate local database on the system, called the favicon cache (F-Cache). A F-Cache data entries includes the visited URL (subdomain, domain, route, URL paramter), the favicon ID and the time to live (TTL). While this provides web developers the ability to delineate parts of their website using a wide variety of icons for individual routes and subdomains, it also leads to a possible tracking scenario.

When a user visits a website, the browser checks if a favicon is needed by looking up the source of the shortcut icon link reference of the requested webpage. The browser initialy checks the local F-cache for an entry containing the URL of the active website. If a favicon entry exists, the icon will be loaded from the cache and then displayed. However, if there is no entry, for example because no favicon has ever been loaded under this particular domain, or the data in the cache is out of date, the browser makes a GET request to the server to load the site's favicon.

๐Ÿ’ฃ Threat Model[10]

In the article a possible threat model is explained that allows to assign a unique identifier to each browser in order to draw conclusions about the user and to be able to identify this user even in case of applied anti-fingerprint measures, such as the use of a VPN, deletion of cookies, deletion of the browser cache or manipulation of the client header information.

A web server can draw conclusions about whether a browser has already loaded a favicon or not: So when the browser requests a web page, if the favicon is not in the local F-cache, another request for the favicon is made. If the icon already exists in the F-Cache, no further request is sent. By combining the state of delivered and not delivered favicons for specific URL paths for a browser, a unique pattern (identification number) can be assigned to the client. When the website is reloaded, the web server can reconstruct the identification number with the network requests sent by the client for the missing favicons and thus identify the browser.

Supercookie Header

conventional cookies

supercookie

Identification accuracy - 100%
Incognito / Private mode detection โŒ โœ…
Persistent after flushed website cache and cookies โŒ โœ…
Identify multiple windows โŒ โœ…
Working with Anti-Tracking SW โŒ โœ…

๐ŸŽฏ Target[11]

It looks like all top browsers ( Chrome[12], Firefox[13], Safari[14], Edge[15]) are vulnerable to this attack scenario.
Mobile browsers are also affected.

Browser

Windows

MacOS

Linux

iOS

Android

Chrome (v 87.0) โœ… โœ… โœ… โœ… โœ…
Safari (v 14.0) - โœ… - โœ… -
Edge (v 87.0) โœ… โœ… โŒ - โœ…
Firefox (v 84.0) โœ… โœ… โ” โŒ โœ…

โš™ Scalability & Performance[16]

By varying the number of bits that corresponds to the number of redirects to subpaths, this attack can be scaled almost arbitrarily. It can distinguish 2^N unique users, where N is the number of redirects on the client side. The time taken for the read and write operation increases as the number of distinguishable clients does.
In order to keep the number of redirects as minimal as possible, N can have a dynamic length. More about this here[17].

Other

๐Ÿ™Žโ€โ™‚๏ธ About me[18]

I am a twenty year old student from ๐Ÿ‡ฉ๐Ÿ‡ช Germany. I like to work in software design and development and have an interest in the IT security domain.

This repository, including the setup of a demonstration portal, was created within two days as part of a private research project on the topic of "Tracking on the Web".

๐Ÿ’– Support the project[19]

ko-fi

Spread the world!

Liked the project? Just give it a star โญ and spread the world!

References

  1. ^ Live demo (supercookie.me)
  2. ^ Full documentation (supercookie.me)
  3. ^ Docker daemon (docs.docker.com)
  4. ^ supercookie/server/.env (github.com)
  5. ^ https://yourdomain.com (yourdomain.com)
  6. ^ Node.js (nodejs.org)
  7. ^ supercookie/server/.env (github.com)
  8. ^ http://localhost:10080 (localhost)
  9. ^ ๐Ÿ“– Background (supercookie.me)
  10. ^ ๐Ÿ’ฃ Threat Model (supercookie.me)
  11. ^ ๐ŸŽฏ Target (supercookie.me)
  12. ^ Chrome (google.com)
  13. ^ Firefox (www.mozilla.org)
  14. ^ Safari (www.apple.com)
  15. ^ Edge (www.microsoft.com)
  16. ^ โš™ Scalability & Performance (supercookie.me)
  17. ^ here (supercookie.me)
  18. ^ ๐Ÿ™Žโ€โ™‚๏ธ About me (jonas.strehles.info)
  19. ^ ๐Ÿ’– Support the project (ko-fi.com)
keywords

No Items Found.

Add Comment
Type in a Nick Name here
 
Other Items in webdev
Font Awesome Icons [ Icons ] - CSS Bundle Daily Dev Tips CSS Background Patterns by MagicPattern GitHub - ganlanyuan/tiny-slider: Vanilla javascript slider for all purposes. GitHub - jonasstrehle/supercookie: โš ๏ธ Browser fingerprinting via favicon! URL-encoder for SVG Bootstrap Icons ยท Official open source SVG icon library for Bootstrap GitHub - kognise/water.css: A drop-in collection of CSS styles to make simple websites just a little nicer Toggle light and dark themes in Bootstrap - DEV Deploy your Publish website for free on GitHub Pages - DEV Bootstrap ยท The most popular HTML, CSS, and JS library in the world. GitHub - diegocard/awesome-html5: A curated list of awesome HTML5 resources Fixing PHP SQLite database is locked warning - Unable to execute statement: database is locked [ php ] - KruXoR openstreetmap.org 50 Developer tools to make your life a little easier https://www.mrlacey.com/2020/07/youve-only-added-two-lines-why-did-that.html?m=1 GitHub - ForEvolve/bootstrap-dark: Bootstrap 4 dark theme that supports togging dark/light themes as well. There is no fluff, it changes the color of Bootstrap and that's it, no new thing to learn or unlearn, just Bootstrap, but Dark! Responsive Web Design Online Testing - isResponsive Trianglify.io ยท Low Poly Pattern Generator Grid.js - Advanced table plugin HEAD - A free guide to <head> elements Roots | Modern WordPress Development Tools A Local Dev Tool For Every Project | Lando new.css Synchronized responsive testing, development, inspection |ย Vanamco Gold Price Charts Widgets | GoldBroker.com Trianglify.io ยท Low Poly Pattern Generator Special tags that Google understands - Search Console Help 404 Error Page Codepen ScrollMagic โ™ฅ Demo AOS - Animate on scroll library Font Awesome v4.7.0 - Icon Search Tool Carbon Offers โ€” LowEndTalk Featherlight โ€“ The ultra slim jQuery lightbox. Tailwind CSS - A Utility-First CSS Framework for Rapidly Building Custom Designs HEAD - A free guide to <head> elements API Blueprint | API Blueprint Filtering Data Client-Side: Comparing CSS, jQuery, and React | CSS-Tricks CSS Quickies: CSS Variables - Or how you create a ๐ŸŒžwhite/๐ŸŒ‘dark theme easily - DEV Community ๐Ÿ‘ฉโ€๐Ÿ’ป๐Ÿ‘จโ€๐Ÿ’ป Responsive Slider Timeline Colormind - the AI powered color palette generator Get Waves โ€“ Create SVG waves for your next design Nuxt.js - The Vue.js Framework CodeSandbox: Online Code Editor Tailored for Web Application Development Hover.css - A collection of CSS3 powered hover effects Live.js - One script closer to Designing in the Browser Color this sofa! โ€“ SVG + Blend Mode trick You Might Not Need jQuery CSS Wave Animation with a .png
Search Linx
Search Linx by entering your search text above.
Welcome

This is my test area for webdev. I keep a collection of code here, mostly for my reference. Also if i find a good link, i usually add it here and then forget about it. more...

Subscribe to weekly updates about things i have added to the site or thought interesting during the last week.

You could also follow me on twitter or not... does anyone even use twitter anymore?

If you found something useful or like my work, you can buy me a coffee here. Mmm Coffee. โ˜•

โค๏ธ๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŽฎ

๐Ÿชฆ 2000 - 16 Oct 2022 - Boots
Random Quote
Treasure every moment that you have and treasure it more because you shared it with someone special, special enough to spend your time...and remember that time waits for no one.
Unknown
Random CSS Property

transform-style

The transform-style CSS property sets whether children of an element are positioned in the 3D space or are flattened in the plane of the element.
transform-style css reference