Tracking Users with Just a Favicon: The Supercookie Explained
You've probably heard of cookies, supercookies, and even zombie cookies. But what about tracking users using nothing more than a favicon? That tiny 16x16 pixel icon that sits in your browser tab might be doing more than just making sites look pretty.
Jonas Strehle's "supercookie" demonstrates a clever tracking technique that works even when users clear their cache or use private browsing. It's a proof-of-concept that shows how creative (and concerning) web tracking can get.
What It Does
Supercookie uses the favicon - yes, that little site icon - to assign your browser a unique identifier that persists across sessions. Unlike regular cookies that get cleared, this technique stores tracking data directly in the browser's favicon cache.
The implementation creates a unique pattern of colored favicons that act like a barcode for your browser. Once set, this identifier can be read back on subsequent visits, allowing sites to recognize you even after you've cleared cookies or switched to incognito mode.
Why It's Cool (and a Bit Scary)
The clever part here is the abuse of browser caching behavior. Browsers cache favicons aggressively to improve performance, and this project exploits that feature for tracking. The favicon cache isn't typically cleared when users delete regular browsing data, making this a persistent tracking method.
What makes this particularly interesting from a technical perspective:
- It works without JavaScript (using just CSS and HTML)
- Survives cache clearing in some browsers
- Functions in private/incognito modes
- Doesn't require any special permissions
For developers, it's a fascinating look at browser internals and caching behavior. For privacy advocates, it's a reminder of how tracking techniques continue to evolve.
How to Try It
You can see the supercookie in action yourself:
- Visit the live demo
- The site will generate and assign your unique identifier
- Try clearing cookies, using private browsing, or even restarting your browser
- Return to the site - it should still recognize you
To dig into the code or understand the implementation details, check out the GitHub repository. The project includes both the tracking mechanism and detection scripts.
Final Thoughts
While this is primarily a proof-of-concept, it highlights an important aspect of web development: sometimes the most innocent browser features can be repurposed in unexpected ways. As developers, understanding these techniques helps us build more secure applications and be aware of potential privacy implications.
This isn't something you'd likely implement in production (and hopefully browsers will patch this behavior), but it's a great example of creative problem-solving and understanding browser internals. It's the kind of project that makes you think differently about how browsers work and what "tracking" really means in 2024.
Follow @githubprojects for more interesting developer projects and tools.