Back to Home11/16/2025, 7:39:52 PM

Supercookie: Browser Fingerprinting via Favicon (2021)

vxvrs
356 points
100 comments

Mood

thoughtful

Sentiment

mixed

Category

tech

Key topics

browser fingerprinting

online tracking

privacy

Debate intensity60/100

The 'supercookie' technique uses favicon caching to track users across websites, sparking discussion on browser security, online tracking, and the need for stronger privacy protections.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

7h

Peak period

39

Day 1

Avg / period

20

Comment distribution40 data points

Based on 40 loaded comments

Key moments

  1. 01Story posted

    11/16/2025, 7:39:52 PM

    2d ago

    Step 01
  2. 02First comment

    11/17/2025, 3:09:30 AM

    7h after posting

    Step 02
  3. 03Peak activity

    39 comments in Day 1

    Hottest window of the conversation

    Step 03
  4. 04Latest activity

    11/17/2025, 8:08:59 PM

    1d ago

    Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (100 comments)
Showing 40 comments of 100
Catagris
2d ago
1 reply
Nice to see Brave patched it though.
cachius
2d ago
1st patch: https://github.com/brave/brave-core/commits/master/patches/c...

Rename thumbnail to favicon: https://github.com/brave/brave-core/commits/master/patches/c...

Then abandoned in favor of Chromium including favicons in the regular cache https://news.ycombinator.com/item?id=45954466

jmward01
2d ago
6 replies
At some point we need actual consequences for sites that intentionally hide their tracking. It should be criminal. It is stalking and has real world consequences. Just because an exploit exists doesn't mean it should be used. That logic is like saying it is OK to break into a house because the lock on the door was weak. If we don't get real protections, at what point does it become justified to go offensive against sites that exploit things like this? If I found someone putting trackers on me with the intent to sell that information (harm me) I would defend myself. When am I allowed to do that in the digital world?

Quick side note here. I appreciate the research calling this out. We need to know the dangers out there to figure out how to protect ourselves, especially since governments don't seem to take this seriously.

bravoetch
2d ago
1 reply
I think two things keep the status quo where the end-user is exploited and attacked constantly. The first is the VC / Startup model. Because VC is the true customer, and not the end-user. The second is the current marketing and advertising model. Can it keep working well enough to be worth the money? When it's not, the bottom falls out.

Old business model: solve a problem for your customer, add some value, take home a cut. Current business model: solve investment return for your investors, get the returns by addicting your end-user to something they don't need. Future business model: ?

halapro
2d ago
> The first is the VC / Startup model. Because VC is the true customer, and not the end-user.

I don't see how that's related? Anyone looking to increase their revenue looks at tracking. Even I, with my popular open source projects, receive emails to add tracking, let alone business that need money to pay their employees.

dragochat
2d ago
2 replies
If you visit my eg. physical clothing store I'm allowed to monitor your in-shop behavior to better optimize my store for your needs. Same for a restaurant etc. That how _you_ get _much improved services_ and I get _happier customers_.

Ofc I'm not allowed to freaking resell that data. THIS is the problem in online: releseling and data-brokers. Just KILL these categories of businesses off completely and make _them_ criminal (like even give f prison sentences to them).

We should get back to our sanity in ONLINE. As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do, and should stop pretending I don't. As long as I'm not sharing this data with anyone else, I should be 100% allowed to use every drop of this data to improve my services to you and totally differentiate myself from the incompetent competition that can't properly do this.

Data privacy (from EU's GDPR to... everything else) only helps big corporations fend-off competition from small startups of boutique shops that could easily out-compete them by offering hyper-personalized hand tailored micro-optimized experiences for their smaller number of customers based on the loads of data they collect from them.

...we've all been brainwashed by this privacy psyop to sheepishly "fight for our privacy" in ways that are detrimental to us and only help our corporate oligarch overlords maintains an even tighter grip on power, while offering us worse and worse services. Wake the f up, DATA IS MEANT TO BE USED to IMPROVE goods and services, not remain uncollected or sit unused!

1718627440
2d ago
1 reply
> As long as you're on _my (online) property_ and using _my services_ I can of course see EVERYTHING you f do

That's fine, but you are not allowed to send me malware, that runs on _my property_ and snoops on _my data_.

Also data doesn't stop being mine, just because you have it. You also can't take photographs of random people and claim this is yours now. That's an important difference between the USA and European countries.

dragochat
2d ago
1 reply
Well, we'd probably agree on most things... and re the photography example, afaik model release forms work similarly in the EU and US, right?

Now website code does typically run on your device, but I'd say that once you're a paid logged in user you clearly accepted to run it, under the conditions of it staying in its browser sandbox so... if you think it's "malware" then just stop being a customer. Otherwise software has a right to monitor its own operation.

1718627440
2d ago
> under the conditions of it staying in its browser sandbox so

I consider fingerprinting my browser, by running programs and measuring the timings and characteristics of the browser to be a side-channel attack on the browser sandbox.

> Otherwise software has a right to monitor its own operation.

If websites would only "monitor its own operation", we would hardly have any discussion.

> if you think it's "malware" then just stop being a customer.

Easier said than done, when >90% of websites do this. Show me a mainstream corporations website, that work without Javascript. You can hardly pay for a train ticket and make an appointment to government services, without these crap.

Also there must be some rules what software vendors are allowed to do, since the average user can hardly reverse-engineer all the websites they (need to) visit. This is what regulations like GDPR try to enforce.

> and re the photography example, afaik model release forms work similarly in the EU and US, right?

It's not about contracting a model, it's about doing a random photoshot in public. People have the right to their own picture here, irregardless of who takes that picture and who posses it.

dragochat
2d ago
+ as a bonus we'd also incentivize businesses to internalize their marketing and related tech operations (since sharing data with 3rd parties would not be allowed), same for AI-customizations etc., forcing them to tech-ify and become more tech-savy businesses instead of externalizing all such things to evil big tech (eg. a clothing store chain could compete not only by producing better clothes, but also by developing better monitoring and generative AI for human-in-the-loop hyperpersonalization, spreading tech out... instead of outsourcing these to tech or big-consulting companies as they do now when the too-little-data they so collect anyhow is otherwise easily share-able to third parties)
gus_massa
2d ago
2 replies
Isn't this covered by GDPR?
weberer
2d ago
1 reply
GDPR has a massive exploit where you can do whatever you want as long as you declare it "legitimate interest".
dns_snek
2d ago
[delayed]
timeon
2d ago
Unfortunately, future of GDPR is uncertain: https://noyb.eu/en/eu-commission-about-wreck-core-principles...
kgwxd
2d ago
1 reply
The only reason these things work is because we let our browsers silently execute arbitrary code. That logic is more like saying it is OK to enter a house because the owner sent you an invitation, then greeted you at the door and said "GO NUTS!".
jmward01
1d ago
Trust is a powerful multiplier. By that I mean if you have trust in your city as a safe place you generally don't see bars on windows and have more open, inviting and usable spaces. You have more businesses and happier people. Right now the web is like the worst crime ridden city in the world. There is 0 trust and it means we can't have nice things. Society builds trust by being open and allowing but with enforcement when things do happen. We need to bring that to the web. Right now the enforcement either happens before-hand by blocking something or not at all. I want good browser features. I want companies to use them for my benefit but I also want social and legal repercussions when those features are abused. We need to build up both of those in a durable way. When people see offending sites they should avoid them and spread the word that those businesses are bad. When they cross the line then we need enforcement of not just civil, but also criminal penalties. Basically, we need to avoid removing features and instead start evolving society to be able to interact in this environment in a way that we can trust it.
metalman
2d ago
I am not concerned with bieng tracked, and assume that large entities on the net have the ability to track and find anything or anybody, ho hum, but my simple personal requirement is not to be then sold to petty merchants and harassed in my own home with adds and fake "personalisations", and offered unasked for "help", so I watch closely, and go to any length to disable adds, or "fingerprinting", "profiling", or whatever. The net is horrible, I need socks, but as I am now sensitised to bieng tracked and followed, I will just get socks at the hardware store, rather then try and track down what were mentioned as perfect travellers socks and other gear, because the mountain of equipment relentlessly devoted to selling me anything from the waist down herafter is impossible to contemplate, and I now only use search for items required for my business, but am often forced to give up, as the vast majority of the web has been co-opted by major retailers. Even though I have never been on social media, have no accounts with any of the retailers, people are telling me that they found me and my business through an LLM, of some flavor, and/or were convinced of my abilities from my "5 star ratings", I am too busy currently to unravel, exactly how the data is put together and then used, but quite clearly, there is no way to use the net(however "lightly"), and not be swollowed up and commodified.
yoavm
2d ago
Umm...But it is criminal. The GDPR, at least, doesn't care how you track users - whether through cookies, local storage, favicon or whatever other mechanism you've developed. If you track users you must follow certain rules, and if don't, you will be facing fines if/when you're caught.
1vuio0pswjnm7
2d ago
2 replies
I use a browser that does not support favicon

Wondering why do users of popular browsers believe favicon is needed

(I'm assuming users asked the authors of those browsers for favicon)

shiomiru
2d ago
1 reply
Popular browsers support tabs. When you have many tabs open, it's hard to show a meaningful title for each one. An icon takes up less place and is easier to scan for visually.
1718627440
2d ago
1 reply
Mozilla Firefox doesn't shrink tabs any further, but instead lets the tab list go off screen and you can scroll. I think that is a Google Chrome specific thing.
shiomiru
2d ago
1 reply
I've just tried and when I open a bunch of new tabs, Firefox truncates the "new tab" text to "new" and a Firefox logo. Same thing happens with other titles.
1718627440
2d ago
That's true, it's more without the favicon. It is configurable with browser.tabs.tabMinWidth. Not sure if it is configurable elsewhere in the UI, I normally don't bother with that.
1vuio0pswjnm7
2d ago
Do tabs in the popular graphical browsers display a number on each tab by default

This might be useful when switching from, e.g., tab#1 to tab#7, using keyboard shortcut Ctrl-7

benob
2d ago
1 reply
Why doesn't this apply to any kind of cached content?
cholindo
2d ago
1 reply
I guess that you can do fingerprinting with any cached content, but the insane persistency of favicon's cache makes this much more concerning.
benob
2d ago
If caching is bounded in time, can't you use other fingerprinting methods to seal the gaps?
stingraycharles
2d ago
1 reply
Totally unrelated, but what I found interesting: the README hasn’t been touched for years, yet it looks entirely AI generated. Including the commits.

People actually wrote READMEs / commit messages like that before? Have I been living under a rock?

dewey
2d ago
2 replies
Where do you think the AI training data comes from?

Emoji-heavy documentation/commit messages always seem very popular in JS projects, as this is seems to be the project of a 12 year old I'm not too surprised that it's a bit unusual compared to others.

fractalcounty
2d ago
1 reply
The README.md says the author was twenty years old when it was written. Am I missing something here?
dewey
2d ago
I read it as twelve. My bad!
stingraycharles
2d ago
Ah, I didn’t know this was made by a child, that makes sense then.

I knew this was part of the JS community, I just didn’t realize AI was literally 1:1 using the same style.

I guess didn’t realize that the NodeJS community was so dominant.

Or maybe is it because the NodeJS community always had a style of “many small libraries”, which causes them to be over represented?

stingraycharles
2d ago
1 reply
FYI for anyone that cares: this attack vector has been patched by browsers years ago, fairly soon after this was released.

https://github.com/jonasstrehle/supercookie/issues/30

jgalt212
2d ago
1 reply
The link shows Chrome patched and unpatched this.
cachius
2d ago
1 reply
[Now Chrome] should reset tracking through favicons on cache deletions and when entering incognito mode. - https://issues.chromium.org/issues/40136308#comment19
SeriousM
2d ago
Should
mobeigi
2d ago
Lovely attack vector. It's fun to open the various databases stored by browsers like Chrome in SQLITE to see the kind of information they store. I wouldn't be surprised if a similar attack vector existed for a different stored artefact.
sinuhe69
2d ago
Delete cookies and site data on Firefox works.
nishantjani10
2d ago
This is an insightful read. One question I have is, how do you ensure a user visits all of the N routes for the ID to be generate or to be verified on revisits.
redbell
2d ago
The urge to mine user's data in every possible way is being escalated to higher levels each day. We are, for sure, living in the data rush era.

Another interesting method for web fingerprinting explored by a team of researchers back in 2022 uses the GPU to create unique fingerprints and uses them for persistent web tracking. Codenamed 'DrawnApart' [1] and relies on WebGL to count the number and speed of the execution units in the GPU, measure the time needed to complete vertex renders, handle stall functions, and more. It uses short GLSL programs executed by the target GPU as part of the vertex shader to overcome the challenge of having random execution units handling the computations. Hence, the workload allocation is predictable and standardized.

__________

1. https://www.bleepingcomputer.com/news/security/researchers-u...

60 more comments available on Hacker News

View full discussion on Hacker News
ID: 45947770Type: storyLast synced: 11/19/2025, 7:21:00 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Read ArticleView on HN