Tracking users with favicons, even in incognito mode
19 comments
·November 16, 2025martin_a
Needs a (2023) addition in the title
breppp
I was sure this has been a thing for a while, either that or safari has a UI bug since forever.
I regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit
goodells
I thought I was the only one! Something in the UI cache is so horribly corrupted and it has been for years on my MacBook, I just gave up hope.
robotnikman
I get the same bug in Firefox as well sometimes.
Barbing
Reminds me I noticed macOS Safari pulling in the favicons somewhat frequently when I load the new tab page with favorites on it.
Definitely something I don't want. Maybe I should just remove the favorites or maybe I can save them as redirects or HTML or something.
Note I use private windows most often & shoutout Little Snitch for driving the discovery.
HelloUsername
Related discussion?
"Tales of Favicons and Caches: Persistent Tracking in Modern Browsers"
https://news.ycombinator.com/item?id=25868742
53 comments on 22-jan-2021
gitmagic
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
waitwhatwhoa
This was fixed after we reported it a few years ago while working on the paper.
dizhn
Android/Firefox it showed me my unique ID after the first 18. Then there was a button to try again ans that put me in the same loop you're having.
QuantumNomad_
Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.
int0x29
FireFox for Android private browsing mode gets stuck in the loop 100% for me
vanschelven
It's a shame that the actual attack mechanism doesn't seem to be detailed on the github repo, and the link to the article is dead.
waitwhatwhoa
Paper author here, here’s a valid link: https://www.cs.uic.edu/~polakis/papers/favicon.pdf
Strongbad536
Probably not a popular opinion here but i'm honestly impressed that someone made this work?
soulofmischief
I got different IDs in regular browsing vs incognito mode in Firefox.
bravoetch
Seems like Firefox made changes to address this kind of tracking in version 85.
zzo38computer
Does it work if you disable favicons? (I disabled favicons when I set up the computer, but for a different reason; it is a feature that I don't use.)
sjdonado
The demo didn't work for me. Safari latest ios
Previous comments (2021)
https://news.ycombinator.com/item?id=26051370