frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Tracking users with favicons, even in incognito mode

https://github.com/jonasstrehle/supercookie
127•vxvrs•3h ago

Comments

breppp•2h ago
I was sure this has been a thing for a while, either that or safari has a UI bug since forever.

I regularly get the wrong favicon in specific sites, for example ars technica favicon in reddit

robotnikman•2h ago
I get the same bug in Firefox as well sometimes.
goodells•1h ago
I thought I was the only one! Something in the UI cache is so horribly corrupted and it has been for years on my MacBook, I just gave up hope.
gitmagic•2h ago
What is the live demo supposed to do? I just get stuck in an endless redirect loop with a counter going from 1 to 18 and then restarting. I’m using Safari on iOS.
dizhn•2h ago
Android/Firefox it showed me my unique ID after the first 18. Then there was a button to try again ans that put me in the same loop you're having.
int0x29•2h ago
FireFox for Android private browsing mode gets stuck in the loop 100% for me
QuantumNomad_•1h ago
Safari on iOS. It goes to 18/18 and then starts over from 1/18 again for me too. I had not pressed any retry button, this happened the first time I visited the page. And I wasn’t even in private browsing mode. Just navigated to it normally.
waitwhatwhoa•2h ago
This was fixed after we reported it a few years ago while working on the paper.
zzo38computer•2h ago
Does it work if you disable favicons? (I disabled favicons when I set up the computer, but for a different reason; it is a feature that I don't use.)
soulofmischief•2h ago
I got different IDs in regular browsing vs incognito mode in Firefox.
bravoetch•1h ago
Seems like Firefox made changes to address this kind of tracking in version 85.
denismi•27m ago
I got different IDs in regular browsing vs my first incognito window vs my second incognito window.
vanschelven•2h ago
It's a shame that the actual attack mechanism doesn't seem to be detailed on the github repo, and the link to the article is dead.
waitwhatwhoa•2h ago
Paper author here, here’s a valid link: https://www.cs.uic.edu/~polakis/papers/favicon.pdf
majkinetor•1h ago
https://supercookie.me/workwise
sjdonado•2h ago
The demo didn't work for me. Safari latest ios
HelloUsername•1h ago
Related discussion?

"Tales of Favicons and Caches: Persistent Tracking in Modern Browsers"

https://news.ycombinator.com/item?id=25868742

53 comments on 22-jan-2021

Strongbad536•1h ago
Probably not a popular opinion here but i'm honestly impressed that someone made this work?
alentred•59m ago
There is ad money at stake, and it is unfortunately one of the key revenue models in the modern web. I don't know if this particular research was sponsored by ad-tech or if it's preventive, but it shouldn't be generally surprising that this kind of things are heavily researched.
martin_a•1h ago
Needs a (2023) addition in the title
iammjm•37m ago
make it 2021 actually. After these years, was this fixed?
abirch•12m ago
It was fixed for me on Chrome.
Barbing•1h ago
Reminds me I noticed macOS Safari pulling in the favicons somewhat frequently when I load the new tab page with favorites on it.

Definitely something I don't want. Maybe I should just remove the favorites or maybe I can save them as redirects or HTML or something.

Note I use private windows most often & shoutout Little Snitch for driving the discovery.

nrhrjrjrjtntbt•1h ago
Previous comments (2021)

https://news.ycombinator.com/item?id=26051370

NooneAtAll3•41m ago
I don't understand the live demo

it gave me some ID, but how do I test that some different website can track me resulting in same ID?

or is it only "detect private browsing/container on same browser" kind of stuff?

xandrius•38m ago
I just got a refresh per second and a counter from 1/18 to 18/18 and repeat. Feels like I wasted 20s.
scrps•21m ago
Nonpersistent vm-based browser, I use qemu + cage + firefox and some glue logic to fire up a copy of a base image which gets deleted on exit. Fires up slower than a native firefox instance but runs all the same.

Can containerize for the less paranoid and less work but browsers touching host kernel gives me the ick as does the idea of trying to write ebpf policies for firefox to mitigate. Browsers are pain.

captainkrtek•13m ago
This sounds interesting, do you have this written up anywhere?
musicale•20m ago
I have never liked how Safari always tries to reload favicons. Seems like an obvious and annoying privacy leak.

Open-source Zig book

https://www.zigbook.net
229•rudedogg•3h ago•76 comments

Tracking users with favicons, even in incognito mode

https://github.com/jonasstrehle/supercookie
128•vxvrs•3h ago•29 comments

Heretic: Automatic censorship removal for language models

https://github.com/p-e-w/heretic
352•melded•8h ago•134 comments

The fate of "small" open source

https://nolanlawson.com/2025/11/16/the-fate-of-small-open-source/
111•todsacerdoti•3h ago•72 comments

Peter Thiel sells off all Nvidia stock, stirring bubble fears

https://www.thestreet.com/investing/peter-thiel-dumps-top-ai-stock-stirring-bubble-fears
119•hypeatei•1h ago•86 comments

Dark Pattern Games

https://www.darkpattern.games
57•robotnikman•3h ago•27 comments

What if you don't need MCP at all?

https://mariozechner.at/posts/2025-11-02-what-if-you-dont-need-mcp/
77•jdkee•4h ago•32 comments

The Pragmatic Programmer: 20th Anniversary Edition (2023)

https://www.ahalbert.com/technology/2023/12/19/the_pragmatic_programmer.html
38•ahalbert2•2h ago•4 comments

Z3 API in Python: From Sudoku to N-Queens in Under 20 Lines

https://ericpony.github.io/z3py-tutorial/guide-examples.htm
68•amit-bansil•4h ago•2 comments

I have recordings proving Coinbase knew about breach months before disclosure

https://jonathanclark.com/posts/coinbase-breach-timeline.html
231•jclarkcom•2h ago•83 comments

I finally understand Cloudflare Zero Trust tunnels

https://david.coffee/cloudflare-zero-trust-tunnels
80•eustoria•5h ago•26 comments

FPGA Based IBM-PC-XT

https://bit-hack.net/2025/11/10/fpga-based-ibm-pc-xt/
123•andsoitis•7h ago•24 comments

Decoding Leibniz Notation (2024)

https://www.spakhm.com/leibniz
26•coffeemug•4h ago•1 comments

Linux mode setting, from the comfort of OCaml

https://roscidus.com/blog/blog/2025/11/16/libdrm-ocaml/
31•ibobev•3h ago•4 comments

Fourier Transforms

https://www.continuummechanics.org/fourierxforms.html
88•o4c•1w ago•13 comments

Your Land, My Land (Offrange) – Lithium vs. Lettuce in the Imperial Valley, CA

https://ambrook.com/offrange/photo-essay/lithium-v-lettuce
17•mfburnett•1d ago•2 comments

Brimstone: ES2025 JavaScript engine written in Rust

https://github.com/Hans-Halverson/brimstone
180•ivankra•11h ago•87 comments

Shell Grotto, Margate

https://en.wikipedia.org/wiki/Shell_Grotto,_Margate
15•Michelangelo11•1w ago•2 comments

Why Bcrypt Can Be Unsafe for Password Hashing?

https://blog.enamya.me/posts/bcrypt-limitation
8•enamya•1w ago•8 comments

Anthropic’s paper smells like bullshit

https://djnn.sh/posts/anthropic-s-paper-smells-like-bullshit/
788•vxvxvx•11h ago•245 comments

How Your Brain Creates 'Aha' Moments and Why They Stick

https://www.quantamagazine.org/how-your-brain-creates-aha-moments-and-why-they-stick-20251105/
3•wjb3•1h ago•0 comments

Garbage collection is useful

https://dubroy.com/blog/garbage-collection-is-useful/
106•surprisetalk•9h ago•33 comments

Waiting for SQL:202y: Group by All

http://peter.eisentraut.org/blog/2025/11/11/waiting-for-sql-202y-group-by-all
34•ingve•5d ago•12 comments

The Man Who Keeps Predicting the Web's Death

https://tedium.co/2025/10/25/web-dead-predictions-george-colony/
33•thm•5h ago•12 comments

De Bruijn Numerals

https://text.marvinborner.de/2023-08-22-22.html
59•marvinborner•7h ago•7 comments

Measuring the doppler shift of WWVB during a flight

https://greatscottgadgets.com/2025/10-31-receiving-wwvb-with-hackrf-pro/
112•Jyaif•1w ago•0 comments

Holes (1970) [pdf]

https://rintintin.colorado.edu/~vancecd/phil375/Lewis1.pdf
29•miobrien•2d ago•7 comments

Vintage Large Language Models

https://owainevans.github.io/talk-transcript.html
57•pr337h4m•9h ago•19 comments

Running the "Reflections on Trusting Trust" Compiler (2023)

https://research.swtch.com/nih
108•naves•9h ago•5 comments

Adding an imaginary unit to a finite field

https://www.johndcook.com/blog/2025/11/16/finite-field-i/
12•ibobev•3h ago•1 comments