Hacker News new | past | comments | ask | show | jobs | submit login
Favicon bug (github.com/benjamingr)
310 points by inglor on June 15, 2015 | hide | past | favorite | 93 comments

I'm the author of the GH repo and I just want to give full credit for figuring out Chrome does this to this guy: https://twitter.com/a_de_pasquale

All I did was think "if it works for 65mb why not more?" and write a quick proof of concept. Gets to 10gb on my 4gig laptop and then crashes. (MBA, OSX 10.10).

Wow, the twitter replies suggesting this was an accidental "tar cvf * backup.tar" sound right on the mark. Especially considering favicon.ico is probably the first file in a wp install, alphabetically.

This is my new favorite bug/mistake. It's just exquisite.

It really has it all, doesn't it?

For everyone struggling with tar, please be aware that you can use long-form arguments. So instead of "tar cvf filename files" you use "tar --create --verbose --file file.tar files" or maybe another order like ""tar --create --file file.tar --verbose files"-

It is much more sensible and intuitive.

Once you've used it more than once or twice, however, you will find that writing cfv is much more convenient than typing --create --verbose --file every time you want to tar something.

But if it's code you're only writing once - like in a script - you might consider using the longer ones to avoid screw ups and improve maintainability.

always use long form flags when writing scripts...have some consideration for the person who has to fix your code when you move on

there's an xkcd for that...: https://xkcd.com/1168/

I doubt that the creator or the promoters of the meme know about the long-form parameters. They make sense.

Wow, deeply impressed with Firefox who rolled a fix in 3 hours. Mad props.

Even better - this works with compressed favicons.

Take http://pastie.org/10242118 and create yourself a favicon file:

dd if=/dev/zero of=favicon.png bs=1M count=4096

gzip -9 favicon.png

you can now crash lots of browsers with minimal bandwidth usage :)

demo: http://dev.tomjepp.uk/

This makes a 4GB file when decompressed and is plenty large enough to crash a 32-bit browser. You may need a larger file to reliably crash 64-bit browsers.

Haven't tried it, but does it crash the browser or the tab? Under Chrome's architecture, a page should potentially be able to crash the tab, but not the browser. (or that's my understanding of it, anyway)

What prevents someone from doing this with a 1 px junk image that is many GB large?

edit: to clarify, i'm talking about in the page itself rather than the favicon.

Just a couple of off the cuff thoughts on that. Nothing out of the box prevents what you describe as far as I know but one of the points made in the article is that favicon is downloaded without any update to or indication from the status bar. An image on the page will at least throw up a "waiting for evil.com" in the status bar giving a user some indication that something being downloaded is causing a major slow down.

Typically an ad-blocker or script blocker can be used to prevent the image from downloading. But I don't know of a blocker add-on that worries about favicon.

Overall while annoying and a bit strange that this wasn't anticipated and fixed long ago I'd say this is probably a non-issue. As another poster said I don't see a payoff here so I doubt it will be actively exploited in some "internet screeching to a halt" kind of way.

  > Overall while annoying and a bit strange that this wasn't anticipated and fixed long ago I'd say this is probably a non-issue. As another poster said I don't see a payoff here so I doubt it will be actively exploited in some "internet screeching to a halt" kind of way.
favicons can also be inserted dynamically. http://stackoverflow.com/questions/260857/changing-website-f...

If some site has a js injection bug, or there is someone doing MiTM like the Great Firewall, I suppose they could inject a favicon link that referenced some location on another site, with the intent towards DoS.

Well I don't disagree but on the other hand the article is focused on what it does to a client so I wasn't thinking it through the way you are.

It also occurs to me that given the ability to insert yourself between the client and the server has to open up a number of possible attack vectors that are more worth while than crashing the client. I get (I think) the point about if censorship is the goal this is a way to make clients stay away from a particular server but if you're in a position to MITM them why not just return 404's and be done with it?

Not trying to argue, :-) Just want to make sure I'm understanding your point correctly...

I assume you can (untested) reference https endpoints with a favicon?

If you can inject html though, a hidden image would probably would just as well. Although the behavior of chrome apparently still requesting the favicon file after the tab has closed, and possibly storing it in the history or bookmark file, may make this more or less appealing. Unsure.


Different behavior. It'll cause the tab to load forever, but it won't cause the whole browser to crash or become unresponsive.

my guess is if no favicon is specified browsers request for the default favicon path after page load (possibly) in a non render thread. that's definitely an issue, right?

also, interesting discussion from wayback:


So a screwed up favicon can eat a wireless user's whole bandwidth for the month with them knowing it. Great...

Not to minimise this issue but there are other ways for websites to silently waste user bandwidth. I think the real issue here is that it crashes Chrome and can render the computer unresponsive.

So can a screwed up iOS app


"Here’s a pop quiz for you: how much data do you reckon this iPad app downloads when it first runs? I don’t mean how big it is to download from the App Store (it’s 25MB), I mean after you download it then simply tap the icon to fire it up, how much data does it pull down if you don’t touch it again? ... Try 1.8 gigabytes. You heard me, that’s not a typo. You open up this 25MB app and it’ll pull down dozens of files of dozens of meg each when you run it. Won’t someone please think of the bandwidth!!!"

It'd be nice if downloading over X MB in a day was an extended permission just like access to contacts/photos/etc. is.

Only if you mobile browser actually download them, ios for example from what it looks like doesn't.

Some folks use cell (direct or tethered) on our laptops.

Check out the PRs on the repo - there is a PR demonstrating this exploit in iOS.

So can an ajax loop.

Or a big HTML file.

An ajax loop requires you to have JavaScript enabled and will show you a loader indicator.

> loader indicator

There is nothing with Ajax that does that automatically or even by default.

How about just an huge image? The programmer implementing the ajax call doesn't necessary have to implement a loader indicator either...

The browser will give you a visual indicator (a loading sign) at the browser level for images or AJAX and JavaScript can be disabled.

With the favicon issue these things don't happen.

I'm pretty sure I've never seen a loading indicator for AJAX either in Safari or Chrome.

True but the amount of webpages I visit where the spinning icon never stops spinning, I don't really pay it a 2nd thought. An enormous image set to hidden would have a similar effect.

Mind you I'm sat at home with a 300Mbps fibre connection, so I don't give as much thought to bandwidth as a roaming 4G/3G user might.

True, regarding JS.

Web workers will not show a loader indicator however. You could probably do a nice DDoS attack like this even. But it requires users to be on your site anyway. Might as well just stick 0day du jour on it.

This reminds me of a bug I found in an internal tool. We only had about 200 users, but somehow Apache would run out of workers because they were all busy serving some kind of request. Turns out our Apache configuration was wrong specifically in the case of serving the favicon. If you requested the favicon, it would get in a redirect loop, increasing the length of the url a little more each time until it hit the maximum url length and gave up. A new job like this would get kicked off every time any user visited a page, and it'd take several minutes before it finally gave up. So every user was unwittingly opening tons of long-running requests, with no indication that they were doing anything.

Yeah, I hit something sort of similar but on the client side: While clicking around a single-page webapp, Chrome would manage to use up all its outbound connections (10 or so) trying to download non-existent favicons, leaving none for real use. And those favicon requests somehow never timed out. Chrome's favicon handling is pretty bad.

I pray once or twice a month that someone somewhere will just end the favicon.

Or at least make it's absence a non-logworthy event.

Or replace it with something sane, like a .png.

All major browsers support PNG favicons

Not only is there support in practice, but PNG files have been technically-valid .ico files for a decade.

Edit: Actually on further investigation they might be omitting a header, but they're still 99% valid.

Is storing data as bits insane? For a 32x32 image, jpg overhead becomes significant.

Why would you use JPG for something that should be pixel-art?

But it's not really that bad. Well under 200 bytes of overhead for 1000 pixels. PNG has under 50 bytes of overhead.

Just doing some quick back of napkin maths, even assuming Apple's 128x128 app icons, and 48 bit colors (32 is more typical), we're still talking about a sub-100 kb max for a favicon.

So if Chrome set it even at 20 Mb that would still be orders of magnitude more than any favicon should be for at least the next five or so years (even assuming 256x256 became common for app icons).

"The most memory anyone needs is 640k"...

Hard limits aren't much of an issue if updates are rolled out ever 6 weeks.

That was said with a wide open scope. Bill was wrong because he hadn't imagined all the things people might do with PCs. In this discussion, the scope is very limited; favicons.

You can have animated favicons.

Even still, the animated favicons would be low framerate and fairly low resolution.

I don't think we're ready for 60 FPS .gifv favicons just yet. :)

ten gigabytes is a helluva favicon animation... I wonder if it would be measured in hours, days, or weeks...

Let's go ahead and implement webm favicons. Months of pleasure from every single website visit!

In reply to both this and the original discovery[1], I wonder if this is a valid (albeit morally dubious) method of backing up (or at least ensuring the survival of) information that is at risk from government/<insert 'bad person' here> censorship/removal/other.

NB: Not that I condone this.

[1]: https://twitter.com/a_de_pasquale/status/608997818913665024

Did you file bugs for either of these two browsers?

Is this a Mac only bug, or have you only repro-ed it on Mac?

Why do browser people always forget about favicons? Most browser saved favicon on private browsing and then this.

...and used favicons for the bookmarks.

Mind telling me why that is an issue?

My bookmark bar is entirely favicons. I remove the name and this allows me to fit more in quick-access without having to delve into folders.

Same here. Sadly Safari does not use fav icons in the bookmark bar, so all of mine are emoji.

Unfortunately, you run out of sensible emoji very quickly, so my brokerage ends up 🎲, Github ends up 🐱, and Hacker News ends up ⌛️.

Because Microsoft.

How do other browsers behave?

Firefox doesn't behave too well either. Gets to 23169 in the counter http://i.imgur.com/3zkPKD7.png

So why single out Chrome in this repository and post? Feels like a hit piece on Chrome this way.

Well, I didn't really consider Firefox and I didn't want to publish anything unsubstantiated about it. No intent to single out or attack Chrome - I've changed the title to clarify that now that I have evidence this works in FF.

Investigating and reporting a bug should never be considered "singling out" of a piece of software. Personally, I'd be grateful if someone pointed out a critical issue like this in my code. It means I have the opportunity to fix it!

Well, Chrome is a very commonly used browser, and I would guess that other browsers look to it for guidance on features.

Also, it seems to me that the post is only a proof of concept. "Hey, look at what happens here in this browser. I've extensively proven that it's possible. Maybe people should check it out under other circumstances."

You should try and use ServiceWorkers to generate the file -- then you can have the client DOS itself.

This seems like an active exploit, as pointed out in the OP's inspiration Twitter post.

`tar` up an entire WordPress install, save it as `favicon.ico` and then easily pull the files from the server.

This would be a good idea to get fixed very soon, I would assume.

EDIT: I stand corrected in terms of exploit-ability, but I still assert that crashing a browser and chewing tons of bandwidth are pretty big issues.

> `tar` up an entire WordPress install, save it as `favicon.ico` and then easily pull the files from the server.

assuming I have access to the server to create the tar and save it, what's the difference between downloading the archive as favicon.ico or any other name?

If you don't have control over the logging (for a number of reasons) you can disguise your xf in the access logs. I'd be willing to bet that a lot of logging config files for access logs even ignore favicon.ico.

You could also hide it as any kind of regular static resource. I still don't understand how it's any worse than, say, hiding a massive image in a webpage. Bogus websites are going to be bogus no matter what, I can understand browser devs not wanting to guess arbitrary limitations for some resources when an hostile attacker will have plenty of other opportunities to achieve the same thing.

What would be the point of adding a limitation to the favicon size really? Protecting users from websites where the webmaster is silly enough to put a 1GB favicon by mistake? Doesn't seem common enough to warrant the extra code IMHO.

>What would be the point of adding a limitation to the favicon size really?

Uh, yea, the browser shouldn't become unresponsive, break, or behave in such unexpected ways. Not having a limit is just sloppy. Understandable how it'd be overlooked, but sloppy none-the-less.

That's reasonable, but won't you get the same result in a million other ways?

I agree that preventing the browser to become unresponsive when loading bogus/malicious pages is a worthy objective but I don't see why the favicon needs to be singled out as a "bug".

These kinds of deny of service attacks against browsers have been known since, like, forever and they're basically impossible to completely prevent given the surface of attack and the complexity of modern web pages.

Whatever that website is, has an issue, since that backup.tar may contain their database credentials.

The favicon thing is just an annoying browser crashing bug. You could call that an "exploit" but up until fairly recently you were able to crash many browsers by generating too many message boxes (e.g. alert()) asynchronously.

So while, yes, it would be nice to fix it I don't really see it as being a high priority or one which will be actively exploited (since there is no "payoff" to either prankers or bad guys to this exploit).

Eating users' bandwidth has its uses as well as filling up a network with communication. This works with JavaScript disabled too but yeah I agree it's not a huge priority.

I know for a fact that eating mobile bandwidth would be a huge priority for some (as far as getting it fixed). For example; I live in Canada and my mobile plan is only for 8gb. If I go over I have to pay a premium, and it is not a cheap premium. I don't think unlimited bandwidth on mobile is popular (at least here, I suspect other places cough India cough) as well.

Even if you cap favicon size you don't solve the issue you're discussing at all.

A bad actor web-site can just move from favicon to an image, script file, or just return an indefinite series of HTML characters with no end.

The only way for the issue you want solved to be solved is for mobile browsers to add a "max page size" option, that will stop downloading content after it hits the cap.

In general this favicon bug is neither here nor there with the issue you're concerned about. Nobody needs this to waste your bandwidth.

The only reason this is noteworthy is that it is a little embarrassing for the browser vendors and it causes the browsers (Firefox and Chrome) to crash.

I like Surf's approach:

  if(g_str_has_suffix(uri, "/favicon.ico"))
      webkit_network_request_set_uri(req, "about:blank");

it's also working on iOS 8.1.2. As soon as you tap on the share icon, the download starts: https://github.com/benjamingr/favicon-bug/pull/2

I've noticed it several months ago by going through my server logs - hadn't included 'favicon.ico' in the HTML and yet, the browser - Chrom(e|ium) - tried downloading it every time.

Thanks for reminding me to report it ;^)

Most browsers have been doing that since favicons have existed. Older versions of IE used to check for /favicon.ico no matter what, even if you specify a different URL with a <link> tag. You really have no choice but to make the file available at the URL even today.

That's not a bug, it's a feature. Pretty much every modern browser will look in the default spot for a favicon if you don't specify it.

Just tested on Safari 8.0.6, doesn't seem to download the favicon at all. Weird, even after closing the tab, Chrome still keep downloading the favicon.

Safari Version 8.0.6 (10600.6.3) on OS X 10.10.3 is downloading it: https://imgur.com/B2LeRy4

Should this have been done as a private disclosure to browser vendors first before going public, or is that more for security problems?

Way to ruin the fun for the rest of us ;)

Anyone tested Firefox/Chrome/Webview for Android?

Interesting to see server-side JavaScript being used as an exploit language.

This is about as easy to do with every other language - I could have done it in C, or Python or PHP or Java or C# or whatever - node was just the lowest friction one for the PoC - all you ned is an HTTP server that lets you write dynamic requests - could have been bash even.

    ln -s /dev/urandom /srv/wwwroot/favicon.ico

Seems like an easy and logical fix for browsers.

   function fetchFavIcon() {
       if (favicon.fileSize > 1MB) { return false; }


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact