I haven't read
the full research paper but this table alone is really frightening.
The check-marks in this image does not mean it's a good thing for us. It actually means the vulnerability can continue even if you apply these precautions.
First, think of all the things privacy gurus have taught us. They say, to maintain good privacy, we should clear cookies and cache, use VPNs, use Private/Incognito Window for casual browsing etc. If you use the mentioned browsers, no matter how much you use them, you'll still probably be vulnerable to this attack.
More surprisingly I found a
StackOverflow question asked 7 years ago (2013) which discusses this same issue long before this paper was released! The poster says that:
If this is actually possible it can be a good way of checking if the user visited the website before, don't needing to use cookies for that porpouse [sic.]
Someone named _daalbert_ commented under an answer:
I've used this method before, and it works well.
So it seems this trick is already there and being used in the wild. I feel a bit strange. After all these years of being a webdev and researching on privacy I never came across this.
The only thing that comes to my mind that can tackle this would be deleting the whole profile directory of the browser (deleting cache is not enough) and starting again from scratch every time. Which is not viable for everyone. Or using one single browser instance for each website (which would be very painful, even considering appimages or using different profile directories for each site). Clearing the cache cannot make a dent on this. So there's no way to escape this.
Another thing is that Firefox was not vulnerable to this due to a bug in their favicon implementation. Lucky Firefox. :smile:
A better solution would be if browsers saw this and pushed a fix in the updates. I'm not sure if this issue is fixed since the paper has been released. Maybe I'll try to recreate this to see if this exists on the browsers I use.
The research paper is here if you want to read:
:arrow_right:
https://www.cs.uic.edu/~polakis/papers/solomos-ndss21.pdfI got this research paper in a toot from
@RTP@fosstodon.org