Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday June 23 2015, @02:31PM   Printer-friendly
from the simple-but-effective dept.

A Favicon bug lets Chrome and Firefox download huge favicon files to the point they crash the browser:

Andrea De Pasquale posted a tweet saying "Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by."

This creepy bug makes Chrome and Firefox download the huge favicon files to the point till they crash the browser. The silliest part is that the users are not at all aware of this download as it is all done in the background and who is truly to be blamed for this.

[...] Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit. As a matter of fact, the favicon files need not have to be .ico files. A lot of GIF, PNG or JPEG files are used with popular websites, and there are no limitations linked to the file's extension.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough

Mark All as Read

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Funny) by VLM on Tuesday June 23 2015, @03:09PM

    by VLM (445) Subscriber Badge on Tuesday June 23 2015, @03:09PM (#199913)

    turning out to be a TAR backup of the whole WP site

    I'm liking this new distributed backup strategy. Well maybe not the "crash the browser" aspect. But it is creative of someone.

    I'm sure like most web 3.0 sites, that 10 GB is like 5K of valuable text content and 9.999995 GB of javascript social media trackers, take over the scroll bar, popups, ads, dynamic menus, all shite.

  • (Score: 4, Touché) by M. Baranczak on Tuesday June 23 2015, @03:15PM

    by M. Baranczak (1673) on Tuesday June 23 2015, @03:15PM (#199918)
    Yeah, there's no standard for a maximum size, but it's common sense to run some sanity checks whenever you download data. If one browser failed to do this, I'd understand, but it says that Safari, Chrome and Firefox are all vulnerable.
    • (Score: 4, Insightful) by Katastic on Tuesday June 23 2015, @04:45PM

      by Katastic (3340) on Tuesday June 23 2015, @04:45PM (#199970)

      It's easy to think of it in hindsight. But man, have you EVER considered the size of a bookmark icon your entire life before today?

      • (Score: 5, Insightful) by M. Baranczak on Tuesday June 23 2015, @05:07PM

        by M. Baranczak (1673) on Tuesday June 23 2015, @05:07PM (#199982)
        Well, I've never written a web browser, so this specific situation never came up. But I wrote plenty of code that had to download data from untrusted sources. If there's something that shouldn't ever exceed n bytes in normal circumstances, then you add a sanity check that aborts the download if it reaches 10n bytes. You set the threshold high, in case you underestimated. It's just fundamental programming skills.
      • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @09:19PM

        by Anonymous Coward on Tuesday June 23 2015, @09:19PM (#200105)

        Seriously, no one saw this coming? No one? For a small, small icon? No one saw it coming? We have lost this war, if no one thinks about this sort of things at all when designing stuff, i just give up. i just can't understand this. I give up.

  • (Score: 1, Insightful) by Anonymous Coward on Tuesday June 23 2015, @03:19PM

    by Anonymous Coward on Tuesday June 23 2015, @03:19PM (#199921)

    Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit.

    It is only no surprise if you assume that programmers don't know to check their stuff.

    No limit given means you have to expect arbitrary large files and handle them gracefully. This can mean to ignore files that are too large to handle. It can not mean crashing. A crash always means that you made an assumption without checking that this assumption holds for your input. In this case, the assumption was that the favicon files will not be arbitrary large, and/or that it will always be a valid image file.

    External input must always be checked, especially if it comes from an untrusted source. And frankly, I'm surprised that downloading the favicon behaves differently than downloading anything else, because at the end the only difference between a favicon and another image is where it gets displayed.

    • (Score: 3, Interesting) by MichaelDavidCrawford on Tuesday June 23 2015, @03:43PM

      by MichaelDavidCrawford (2339) <mdcrawford@gmail.com> on Tuesday June 23 2015, @03:43PM (#199932) Homepage Journal

      It is trivial to crash mobile safari, just spend ten minutes on Facebook.

      This is inexcusable.

      My MacBook pro just but the dust. For many reasons I may never purchase an apple product ever again.

      --
      we have a ... crazy person (MDC), that regularly posts more coherent and interesting things than do these racist trolls
      • (Score: 2) by GungnirSniper on Tuesday June 23 2015, @03:49PM

        by GungnirSniper (1671) on Tuesday June 23 2015, @03:49PM (#199938) Journal

        Funny, Facebook doesn't kill my mobile browser but things with too many scripts will, like Reason.com. I wonder if that's intended to push us towards mobile (spyware) apps for each site.

      • (Score: 2) by Tramii on Tuesday June 23 2015, @04:16PM

        by Tramii (920) on Tuesday June 23 2015, @04:16PM (#199955)

        It is trivial to crash mobile safari, just spend ten minutes on Facebook.

        I just tested this on my iPhone and determined that it was not "trivial". I normally use the Facebook app and was curious to see if I could indeed crash Safari by clicking around on things for 10 minutes. Everything worked fine and mobile Safari did not crash. Of course, I don't have 10,000 friends constantly spamming me with worthless posts, so maybe that's the difference. ¯\_(ツ)_/¯

        • (Score: 2) by Freeman on Tuesday June 23 2015, @04:40PM

          by Freeman (732) on Tuesday June 23 2015, @04:40PM (#199966) Journal

          I tried totally ignoring facebook. I still do for the most part, but too many people that I actually care about use it. So, I end up checking it once every couple of months, sometimes more frequently. Plus, my wife is on it, nearly constantly, so I don't really need to check it very often.

          --
          "I said in my haste, All men are liars." Psalm 116:11
          • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:08PM

            by Anonymous Coward on Tuesday June 23 2015, @08:08PM (#200067)

            ...ignoring facebook. I still do for the most part, but too many people that I actually care about use it.

            Sounds like you care about the wrong kinds of people{grin}. I ignore fb and don't miss much of anything, my friends do the same.

        • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @04:57PM

          by Anonymous Coward on Tuesday June 23 2015, @04:57PM (#199978)

          Try Zerohedge [zerohedge.com] or the The Green Site [slashdot.org] on the latest generation of iPod if you want to experience a crash. Both dump more ad-tracking code than Safari can handle (or than anyone should have ever reasonably been expected to handle).

          • (Score: 2) by Tramii on Tuesday June 23 2015, @06:29PM

            by Tramii (920) on Tuesday June 23 2015, @06:29PM (#200019)

            Fair enough. But I don't think I would sweat it if my MP3 player choked while trying to render a bloated website.

      • (Score: 1, Funny) by Anonymous Coward on Tuesday June 23 2015, @08:43PM

        by Anonymous Coward on Tuesday June 23 2015, @08:43PM (#200091)

        Surely that's a feature, not a bug. ;P

    • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @03:44PM

      by Anonymous Coward on Tuesday June 23 2015, @03:44PM (#199933)

      And frankly, I'm surprised that downloading the favicon behaves differently than downloading anything else, because at the end the only difference between a favicon and another image is where it gets displayed.

      My experience is that very large images of all flavours tend to cause major problems in Firefox. Especially if they are scaled by the browser. I suspect you'd see the same problem if the image was displayed on the page. I guess the difference is that with favicons it is less obvious what's going on.

  • (Score: 2, Insightful) by MichaelDavidCrawford on Tuesday June 23 2015, @03:47PM

    by MichaelDavidCrawford (2339) <mdcrawford@gmail.com> on Tuesday June 23 2015, @03:47PM (#199934) Homepage Journal

    Iirc some browser just started displaying fab icon.ico if one was available. I don't object to vendor extensions but it should have been submitted to the w3c so they could specify just what a fab icon actually is.

    If you can crash a browser then likely a specially crafted Davison could install malware.

    By the way soes anyone know how to totally disable iOS autocorrect?

    --
    we have a ... crazy person (MDC), that regularly posts more coherent and interesting things than do these racist trolls
    • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @03:51PM

      by Anonymous Coward on Tuesday June 23 2015, @03:51PM (#199940)

      <input autocorrect="off" autocapitalize="off">

    • (Score: 5, Insightful) by WizardFusion on Tuesday June 23 2015, @04:03PM

      by WizardFusion (498) Subscriber Badge on Tuesday June 23 2015, @04:03PM (#199949) Journal

      By the way soes anyone know how to totally disable iOS autocorrect

      At the risk of being marked as a troll, don't use apple products.

      • (Score: 2) by MichaelDavidCrawford on Tuesday June 23 2015, @05:02PM

        by MichaelDavidCrawford (2339) <mdcrawford@gmail.com> on Tuesday June 23 2015, @05:02PM (#199980) Homepage Journal

        and led the standards committee that defined a protocol for interapplication text processing.

        to me autocorrect is particularly vexing because spellswell and lookup both worked better in the 1980s. apple could have licensed our oem engine rather than coming up with this crud at great expense.

        --
        we have a ... crazy person (MDC), that regularly posts more coherent and interesting things than do these racist trolls
        • (Score: 2) by kaszz on Wednesday June 24 2015, @12:30AM

          by kaszz (4211) on Wednesday June 24 2015, @12:30AM (#200168) Journal

          The licensing conditions for Spellswell perhaps wasn't what Apple liked?

          • (Score: 3, Touché) by vux984 on Wednesday June 24 2015, @02:11AM

            by vux984 (5045) on Wednesday June 24 2015, @02:11AM (#200201)

            In that they existed? Apple seems more prone to NIH syndrome than many companies I've seen.

            • (Score: 2) by MichaelDavidCrawford on Wednesday June 24 2015, @05:49AM

              by MichaelDavidCrawford (2339) <mdcrawford@gmail.com> on Wednesday June 24 2015, @05:49AM (#200243) Homepage Journal

              we earned our coin selling specialty dictionaries like legal and medical.

              --
              we have a ... crazy person (MDC), that regularly posts more coherent and interesting things than do these racist trolls
            • (Score: 2) by LoRdTAW on Wednesday June 24 2015, @03:17PM

              by LoRdTAW (3755) Subscriber Badge on Wednesday June 24 2015, @03:17PM (#200415)

              Their version of NIH is to buy out whoever has what they are looking for: https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Apple [wikipedia.org]

              A good example are their ARM SoC's which are developed by the Intrinsity [wikipedia.org] team. Many people think these big tech companies are magical workshops that spawn awesomeness. When in reality, they just go around buying out the good ideas and consolidating them behind a minefield of patents.

      • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @05:10PM

        by Anonymous Coward on Tuesday June 23 2015, @05:10PM (#199984)

        I hate this victim-blaming nonsense. You're saying that the way to prevent having your home broken into is to not have a home, and the way to prevent having your stuff stolen is to not own anything. Stop it with this bullshit, its disgusting. It doesn't help anything and just lets everyone know what an asshole you are.

    • (Score: 5, Informative) by Tramii on Tuesday June 23 2015, @04:20PM

      by Tramii (920) on Tuesday June 23 2015, @04:20PM (#199959)
      1. Open the “Settings” app on the iPhone or iPad
      2. Go to “General” and then to “Keyboard”
      3. Locate “Auto-Capitalization” and flip the switch to the OFF position
      4. Locate “Auto-Correction” and flip the switch to the OFF position
      5. Exit out of Settings as usual
    • (Score: 4, Informative) by kaszz on Wednesday June 24 2015, @12:48AM

      by kaszz (4211) on Wednesday June 24 2015, @12:48AM (#200176) Journal

      Once upon a time in 1999, Microsoft released Internet Exploiter number 5 and its users in an comatose bliss started to spew requests for /favicon.ico into web server logs. It was like wtf is that for? and then, purpose? and then, aha eye candy for people that are look-new-shiny-bling-bling.

      As there is a file format called "ICO" perhaps it's time to specify that as the image format? and then the maximum pixel and filesize?
      Seems some browsers have problems displaying large pictures regardless so it could be beneficial to implement some kind of hard limit on images regardless. Like "This image will be 40 000 x 20 000 pixels and using 2.2 GB memory, are you sure you want to display it?" along with free RAM and swap information.

      As for standard committees, Microsoft just steamrolls them.

      • (Score: 1) by ledow on Wednesday June 24 2015, @02:04PM

        by ledow (5567) Subscriber Badge on Wednesday June 24 2015, @02:04PM (#200386) Homepage

        If your favicon is over 32Kb, we just don't display it.

        See how long it takes for everyone to shrink their favicons back to a sensible size or feel the wrath of users who "only get the little default icon on your website, but not your competitor".

  • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @05:15PM

    by Anonymous Coward on Tuesday June 23 2015, @05:15PM (#199986)

    I wonder if the telcos and anyone else who charges for data is secretly behind this kind of shit. Its to their financial benefit for people to receive large amounts of data without realizing it. The concept of charging for data is absurd enough, especially since you have little control over the data you receive - you can seek out specific things, but a lot of extra garbage always comes with it.

  • (Score: 3, Funny) by joshuajon on Tuesday June 23 2015, @06:07PM

    by joshuajon (807) on Tuesday June 23 2015, @06:07PM (#200010)

    I think this vulnerability could really use a more serious sounding nickname. How about "Doomhammer" ?

    • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:05PM

      by Anonymous Coward on Tuesday June 23 2015, @08:05PM (#200066)

      Favanull

    • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:25PM

      by Anonymous Coward on Tuesday June 23 2015, @08:25PM (#200082)

      Haha, seconded! :D

    • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:56PM

      by Anonymous Coward on Tuesday June 23 2015, @08:56PM (#200097)

      I was angling for Faviolence, as conflating physical harm with digital doings is in now.

    • (Score: 0) by Anonymous Coward on Tuesday June 23 2015, @10:56PM

      by Anonymous Coward on Tuesday June 23 2015, @10:56PM (#200133)

      Favic*nT

    • (Score: 2) by M. Baranczak on Wednesday June 24 2015, @12:22AM

      by M. Baranczak (1673) on Wednesday June 24 2015, @12:22AM (#200164)
      FlavaFav.
    • (Score: 2, Funny) by Anonymous Coward on Wednesday June 24 2015, @01:21AM

      by Anonymous Coward on Wednesday June 24 2015, @01:21AM (#200189)

      Favikhaaaaaaaaaaaaaaaaaaaaaaan!

    • (Score: 0) by Anonymous Coward on Wednesday June 24 2015, @01:41PM

      by Anonymous Coward on Wednesday June 24 2015, @01:41PM (#200381)

      Crashicon?

  • (Score: 3, Funny) by Anonymous Coward on Tuesday June 23 2015, @11:00PM

    by Anonymous Coward on Tuesday June 23 2015, @11:00PM (#200135)

    640k should be enough for everyone!

    • (Score: 2) by Marand on Wednesday June 24 2015, @06:30AM

      by Marand (1081) on Wednesday June 24 2015, @06:30AM (#200256) Journal

      640k should be enough for everyone!

      For everyone? That's a pretty slim split; we may have to kill a few billion people to get bigger shares.

      World War III: battle for the favicons

  • (Score: 0) by Anonymous Coward on Wednesday June 24 2015, @02:21PM

    by Anonymous Coward on Wednesday June 24 2015, @02:21PM (#200389)

    I can't think of a safer way to transfer information to agents then via cryptic bits appended to the favicon.ico file.

    I'll bet the NSA filters out those transfers to save logfile space, too.

    Coincidence? You judge.

    I smell an inside job. Probably Israeli.

    • (Score: 0) by Anonymous Coward on Wednesday June 24 2015, @02:35PM

      by Anonymous Coward on Wednesday June 24 2015, @02:35PM (#200393)

      It is a way to get past sloppy network access reviews, I guess secret service level stuff doesn't need this, not in Israel, nor in Somalia.