### How a Tiny Icon Can Track You: The Favicon Supercookie Explained

When you think about being tracked online, your mind probably jumps to cookies. These small text files have been the web’s primary method for remembering users for decades. But as users become more privacy-conscious—clearing their cookies, using private browsing modes, and installing blockers—trackers have been forced to get more creative. In 2021, a security researcher unveiled a chillingly clever technique that turned a seemingly harmless web feature into a persistent tracking tool: the favicon supercookie.

#### What is a Favicon, Anyway?

Before diving into the exploit, let’s remember what a favicon is. It’s that tiny icon you see in your browser tab, bookmarks bar, or history list next to a website’s name. It’s a branding element, a simple `favicon.ico` file that helps you visually identify a site. Its job is supposed to be simple and harmless. But it turns out the way browsers handle these little icons can be exploited.

#### The Ingenious Tracking Mechanism

The research, published by Jonas Strehle, demonstrated a method of creating a “supercookie”—a tracking identifier that is incredibly difficult for a user to delete. Unlike traditional cookies, this one doesn’t get wiped when you clear your browsing data, and it can even persist across regular and incognito browsing sessions.

Here’s a step-by-step breakdown of how it worked:

1. **Assigning a Unique ID:** When a new user visits a website, the server generates a unique ID for them, for example, a number like `8472`.
2. **Encoding the ID with Redirects:** The server doesn’t just store this ID. Instead, it translates the ID into a unique sequence of subdomains. The website then triggers a series of redirects, forcing the user’s browser to visit a specific combination of these subdomains.
3. **Forcing a Favicon Cache:** For each subdomain it’s redirected to, the browser automatically requests the favicon. These favicons are then stored in a dedicated favicon cache. This cache is separate from the regular browser cache, cookies, and local storage. This separation is the key to the entire exploit.
4. **Re-identifying the User:** When the user returns to the website—even in a new session or in incognito mode—the tracking script attempts to load the favicons from a large pool of possible subdomains.
5. **Reading the Cache:** By measuring the load times, the server can tell which favicons were served instantly (because they were already in the cache) and which ones had to be fetched from the network. The combination of cached favicons allows the server to perfectly reconstruct the original sequence of redirects, and thus, the user’s unique ID.

#### Why Was This So Alarming?

The favicon supercookie was particularly potent for several reasons:

* **Persistence:** It survived standard privacy-clearing actions. Users who diligently cleared their cookies, history, and cache were still being identified.
* **Cross-Mode Tracking:** The technique worked across browsing modes. The favicon cache was often shared between the regular and private (incognito) modes of a browser, breaking the isolation that users expect from private browsing.
* **No Consent:** The entire process was invisible to the user. There were no pop-ups, no permissions requested, and no easy way to opt out. It was a silent, background process that exploited default browser behavior.

#### The Aftermath and Browser Mitigations

The publication of this research sent a clear signal to browser developers. This “cat-and-mouse game” between trackers and privacy engineers had a new, serious vulnerability that needed to be patched.

In response, major browser vendors implemented changes to protect their users. The primary fix was **cache partitioning**. This means that caches, including the favicon cache, are now “keyed” not just by the resource being requested but also by the top-level site that is making the request.

In simple terms, a favicon cached for `tracker.com` while you were visiting `newssite.com` is now stored in a separate “bucket” from a favicon cached for `tracker.com` while you were on `socialmedia.com`. This partitioning prevents one site from being able to check the cache state set by another site, effectively neutralizing this tracking vector.

While this specific favicon supercookie technique has been largely mitigated in modern, updated browsers like Chrome, Firefox, and Safari, it stands as a powerful reminder. It demonstrates that any browser feature, no matter how small or seemingly benign, can potentially be repurposed for tracking. The battle for online privacy is an ongoing effort, requiring constant vigilance from both users and the developers who build our gateways to the web.