14 DAY TRIAL // Security analyst and software developer Andrea De Pasquale has managed to discover one of the funniest ways to crash a Web browser. Apparently, a 10+ GB favicon file can crash Firefox, Safari, and Google Chrome.
Resembling one of those buffer overflow bugs you could use to crash Call of Duty servers in the early 2000s, putting a 10+ GB file as your favicon crashes the users' browsers when they attempt to download it.
The silly part is it doesn't do this immediately, but lets the browser download, and download, and download the file for minutes, and then crashes it later on, without the user ever realizing what actually happened and what is truly to blame.
In more extensive tests carried out by Benjamin Gruenbaum, a Google Chrome browser managed to download up to 10GB of a favicon file before crashing. Yes, that means downloading two DVDs, and then some, of information, before finally over-powering the browser and shutting it down.
The bug was replicated with both favicon and touch-icon files, meaning both desktop and mobile browsers are susceptible to it.
Firefox and Safari browsers are also vulnerable, but the good news is Firefox already fixed this issue in less than two days, and a patched version will be available with its next update.
More trouble with favicons in the future?
The existence of this bug doesn't surprise us, technically, since there is no standard or rule anywhere stating that favicon files have to be under a certain limit.
Actually, if you haven't noticed, favicon files don't have to be .ico files. You'll find plenty of PNG, GIF or JPEG files used with popular websites, and there isn't actually any restriction linked to the file's extension.
The bug was initially discovered by De Pasquale when he ran into a website that shipped a WordPress backup .tar file instead of the favicon.
What this means is that you can pass any type of file as your favicon, as browsers do not employ any type of security checks, usually trusting the website's developers not to deliver anything "else" (to be read as "dangerous").
So if you want to find a new way to move your Game of Thrones seasons across the Internet without using torrent sites, you’d better start placing them as favicons for various websites before the Chrome and Safari teams fix their issues, or the MPAA gets wind of your nefarious ways.
Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by... pic.twitter.com/4U7412FYkM
— Andrea De Pasquale (@a_de_pasquale) June 11, 2015
not as dramatic as yours - but still interesting: 317KB favicon on mobile fifa page: http://t.co/qQphazHD8h https://t.co/Nfzv29ntV2
— Andreas Grabner (@grabnerandi) June 15, 2015