Hacker discovers DuckDuckGo tracking users visits to websites through Favicons


Ethical hacker finds DuckDuckGo is tracking the websites a user visits through Favicons

DuckDuckGo which is said to be the most anonymous surface web search engine has been found to be tracking users’ visits to websites through the Favicons. DuckDuckGo has become the go-to browser and search engine for users who are wary of Google’s data collection practices and the way Google uses this data. However, it was found to be tracking user data it shouldn’t have access to in the first place.

An ethical hacker, Seb @Cowreth found that despite its claims for anonymity, DuckDuckGo was tracking websites or rather saving names of websites that the DuckDuckGo user visited violating its strong privacy policy.

The privacy issue arises because DuckDuckGo saves the Favicons (icons identifying the website) of the websites, the DDG user visits, in a specific webserver without the users’  consent. The issue may seem innocuous but when privacy is concerned every issue is serious.

DuckDuckGo stores the favicons of websites on one of its servers at icons.duckduckgo.com. This in fact leads to DuckDuckGo knowing where the user is visiting. If you visit a particular website using DuckDuckGo’s Android browser, it would request the favicon from its internal server instead of the website itself.

Normally, the favicons should be requested from the visited website’s servers or the user’s browser cache (not applicable in DuckDuckGo’s case). Instead, DuckDuckGo calls this from its internal server. This means that the browser knows and tracks the websites the DuckDuckGo user is visiting without users’ consent.

Being privacy and security concerned, DuckDuckGo immediately responded to Seb’s concerns on YCombinator and said that they are fixing this issue. The point being made by Seb was that 1 year ago the same issue was raised and DDG had promised to fix it but the issue was not resolved. Last year, on July 9, 2019, the same issue was raised on DuckDuckGo’s Github page but it was closed down due to some reason.

DuckDuckGo CEO Gabriel Weinberg said that “I want to be clear that we did not and have not collected any personal information here. As other staff have referenced, our services are encrypted and throw away PII like IP addresses by design. However, I take the point that it is nevertheless safer to do it locally and so we will do that.”

Privacy lovers are a paranoid lot and with recent issues of Brave Browser pimping affiliate links of Binance, Coinbase and other cryptocurrency websites, it would need DuckDuckGo to really fix this issue and fast.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments