Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are cross-domain favicons a security risk?

I have a site of user-submitted news articles, and an idea I had for a feature was to grab the favicon on the target site to display along with the link.

The methodology for grabbing the favicon would be checking for the favicon.ico file on the target server. Would displaying that icon as an image open any hole? Could there be some sort of malicious favicon? Would converting the image server-side to a different file format negate risk?

like image 482
Elle H Avatar asked Dec 02 '09 07:12

Elle H


2 Answers

There was a vulnerability in Window's JPEG parser a few years back. It's possible that vulnerabilities could be discovered in other formats in the future, but I think that you are pretty safe to display it as-is, and be vigilant in applying patches if a threat is publicized.

However, to protect the privacy of your users, you should cache the favicon at your server, and let users' browsers fetch it from there. On the other hand, some sites might feel you've violated their intellectual property by displaying their favicon on your site. Again, I probably wouldn't worry about it too much until they ask you to stop.

like image 83
erickson Avatar answered Oct 18 '22 08:10

erickson


Privacy would be my main concern really as favicons are sometimes used for tracking who bookmarks a page. At the very least it would screw their data as they'd think more people are bookmarking them than really are.

When browsers use them the recommended behaviour which I think is adopted by most now, is to only fetch the favicon when you visit the site and then cache in the browser. I would do the same server side by fetching the icon when a user submits the article and cache it (and at the same time you can take the opportunity to verify the link is valid, extract a summary, etc).

like image 43
tjmoore Avatar answered Oct 18 '22 07:10

tjmoore