Demo

The exploit should identify alice since her profile picture is shown in the victim's settings page (https://unsafe.polict.net/demo-web-tracking/settings, which is cross-origin) we are using as leaking endpoint.

Click "start", then:

"check hardcoded list" to test the default victim group (tim, alice and tom, like the example in the blogpost)
"check specific user" if you want to test a specific victim (a specific image URL) which should not be identified as long as it isn't alice's picture

Yes, it could have probably made stealthier :-)