Been noticing that Safari is updating my bookmark thumbnails/favicons on launch (before I even do anything else), and I just had the thought that this is kind of just making a pretty unique fingerprint. I notice it with my Wikipedia:Random bookmark, where it actually must be loading the page in the background to get the article thumbnails. So for example, if I have a folder full of subreddit bookmarks, isn’t that just giving Reddit notice that it’s “me” again, even only using it logged out? I doubt Apple is proxying favicon requests.
Does anyone have any insight on how this works? Or know of a site that has a rotating favicon to test with? The WebKit site has all kinds of great info on privacy features, but can’t seem to find anything on this in particular.
3 Likes
What anti-fingerprinting measures are you referring to exactly that you’re thinking this renders it useless? It’s not clear to me.
1 Like
I guess I’m picturing a scenario where you open your browser, and because it requests 13 specific thumbnail/favicon updates, it kind of just outright identifies you as UserA every time. Even on a VPN’s IP, your device/browser type and these bookmarks probably gets you pretty uniquely, right?
1 Like
That’s definitely a concerning technique, but I thought that was taken care of by limiting redirects? I can’t seem to find the documentation on thwarting this specifically though, sometimes those tech description blog/pages feel like they aren’t indexed or something.
I was more talking though about something more passive. If Safari broadcasts the same set of favicon/thumbnail requests for specific webpages, it seems trivial to link that to a specific logged-out user.
1 Like
I do not know how Safari deals with this attack vector, but Firefox ESR and the Tor Browser partition network states to address supercookies and similar cache fingerprinting techniques.