Sometimes hackers have a little sense of humor. However, that bit of humor doesn't always translate into a big chuckle or uncontrollable laughter when a large number of computer users have to suffer for the amusement of crafty hackers.
Andrea De Pasquale, a security analyst and software developer, recently found a funny way to crash popular web browsers through the use of a favicon. Those of us well versed with web development or have some understanding of how web sites function on the backend knows what a favicon is. For those that do not know, favicon is short for "favorite icon" and is used as a shortcut icon or bookmark icon for web browsers. Usually, a favicon is shown as a small icon within web browsers to associate a visual icon for the website that is currently loaded. Many times the favicon represents the associated website's logo.
In the findings of De Pasquale, it was revealed that the use of a massively large favicon file was the culprit for crashing several types of web browsers. The use of a 10+ GB favicon file caused the web browsers Google Chrome, Mozilla Firefox and Apple's Safari applications to crash.
The discovery of this favicon bug reveals many things about a potential vulnerability that has yet to be exploited on a high level. Some will conclude that favicons pose a serious risk to the security and stability of web browser applications and can eventually result in other serious security issues.
In tests conducted by researchers, browsers like Google Chrome managed to download nearly 10 GBs of data mostly from a highly inflated favicon file. What this instance shows us is that favicons remain to be an item loaded within web browsers that is not sent through a security check or a limitation for the download size. Because of this, browsers like Chrome, Firefox and Safari will simply crash and require restarting or a reboot of the affected computer.
The favicon vulnerability has sparked a lot of attention lately and has been followed up by Firefox being amongst the first to fix the issue with a patched version available for the next update. The patch will address the initial issue that De Pasquale discovered with a larger favicon downloaded on a website loading a WordPress backup .tar file instead of the traditional favicon.
The potential fallout that may result from a vulnerability with favicons in web browser applications is the likelihood of hackers injecting them with malware or any file type no matter the size passed through a browser. In such a case web browsers could be utilizing massive amounts of bandwidth to download favicons that are 10 GBs in size. Just think, at that size it is the equivalent to downloading and streaming a few high definition movies. Only thing, you don't get the satisfaction of good entertainment. Instead, you are left with a crashing web browser.
Security experts believe that because favicons have no type of restrictions or rules, including the type of file that is rendered by web browsers to load a favicon, that hackers could inject all types of different files to be automatically downloaded by web browsers. Remember, every web browser by default will attempt to load a favicon without any apparent road blocks or security checks.
Nefarious methods could be crafted to transmit illegal files or software through favicons. Just think, favicon warez sites could be conjured up to secretly distribute pirated applications and even bootleg movies. We are pretty sure the web browser companies will address the favicon bug before we get to that point, but it doesn't stop hackers from thinking up such a crafty idea.