A Favicon bug lets Chrome and Firefox download huge favicon files to the point they crash the browser:
Andrea De Pasquale posted a tweet saying "Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by."
This creepy bug makes Chrome and Firefox download the huge favicon files to the point till they crash the browser. The silliest part is that the users are not at all aware of this download as it is all done in the background and who is truly to be blamed for this.
[...] Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit. As a matter of fact, the favicon files need not have to be .ico files. A lot of GIF, PNG or JPEG files are used with popular websites, and there are no limitations linked to the file's extension.
Original Submission
(Score: 5, Funny) by VLM on Tuesday June 23 2015, @03:09PM
turning out to be a TAR backup of the whole WP site
I'm liking this new distributed backup strategy. Well maybe not the "crash the browser" aspect. But it is creative of someone.
I'm sure like most web 3.0 sites, that 10 GB is like 5K of valuable text content and 9.999995 GB of javascript social media trackers, take over the scroll bar, popups, ads, dynamic menus, all shite.
(Score: 4, Touché) by M. Baranczak on Tuesday June 23 2015, @03:15PM
(Score: 4, Insightful) by Katastic on Tuesday June 23 2015, @04:45PM
It's easy to think of it in hindsight. But man, have you EVER considered the size of a bookmark icon your entire life before today?
(Score: 5, Insightful) by M. Baranczak on Tuesday June 23 2015, @05:07PM
(Score: 2, Funny) by Anonymous Coward on Tuesday June 23 2015, @05:17PM
http://i2.kym-cdn.com/photos/images/original/000/663/912/ecb.png [kym-cdn.com]
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @09:19PM
Seriously, no one saw this coming? No one? For a small, small icon? No one saw it coming? We have lost this war, if no one thinks about this sort of things at all when designing stuff, i just give up. i just can't understand this. I give up.
(Score: 1, Insightful) by Anonymous Coward on Tuesday June 23 2015, @03:19PM
It is only no surprise if you assume that programmers don't know to check their stuff.
No limit given means you have to expect arbitrary large files and handle them gracefully. This can mean to ignore files that are too large to handle. It can not mean crashing. A crash always means that you made an assumption without checking that this assumption holds for your input. In this case, the assumption was that the favicon files will not be arbitrary large, and/or that it will always be a valid image file.
External input must always be checked, especially if it comes from an untrusted source. And frankly, I'm surprised that downloading the favicon behaves differently than downloading anything else, because at the end the only difference between a favicon and another image is where it gets displayed.
(Score: 3, Interesting) by MichaelDavidCrawford on Tuesday June 23 2015, @03:43PM
It is trivial to crash mobile safari, just spend ten minutes on Facebook.
This is inexcusable.
My MacBook pro just but the dust. For many reasons I may never purchase an apple product ever again.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by GungnirSniper on Tuesday June 23 2015, @03:49PM
Funny, Facebook doesn't kill my mobile browser but things with too many scripts will, like Reason.com. I wonder if that's intended to push us towards mobile (spyware) apps for each site.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 2) by Tramii on Tuesday June 23 2015, @04:16PM
It is trivial to crash mobile safari, just spend ten minutes on Facebook.
I just tested this on my iPhone and determined that it was not "trivial". I normally use the Facebook app and was curious to see if I could indeed crash Safari by clicking around on things for 10 minutes. Everything worked fine and mobile Safari did not crash. Of course, I don't have 10,000 friends constantly spamming me with worthless posts, so maybe that's the difference. ¯\_(ツ)_/¯
(Score: 2) by Freeman on Tuesday June 23 2015, @04:40PM
I tried totally ignoring facebook. I still do for the most part, but too many people that I actually care about use it. So, I end up checking it once every couple of months, sometimes more frequently. Plus, my wife is on it, nearly constantly, so I don't really need to check it very often.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:08PM
...ignoring facebook. I still do for the most part, but too many people that I actually care about use it.
Sounds like you care about the wrong kinds of people{grin}. I ignore fb and don't miss much of anything, my friends do the same.
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @04:57PM
Try Zerohedge [zerohedge.com] or the The Green Site [slashdot.org] on the latest generation of iPod if you want to experience a crash. Both dump more ad-tracking code than Safari can handle (or than anyone should have ever reasonably been expected to handle).
(Score: 2) by Tramii on Tuesday June 23 2015, @06:29PM
Fair enough. But I don't think I would sweat it if my MP3 player choked while trying to render a bloated website.
(Score: 1, Funny) by Anonymous Coward on Tuesday June 23 2015, @08:43PM
Surely that's a feature, not a bug. ;P
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @03:44PM
My experience is that very large images of all flavours tend to cause major problems in Firefox. Especially if they are scaled by the browser. I suspect you'd see the same problem if the image was displayed on the page. I guess the difference is that with favicons it is less obvious what's going on.
(Score: 2, Insightful) by MichaelDavidCrawford on Tuesday June 23 2015, @03:47PM
Iirc some browser just started displaying fab icon.ico if one was available. I don't object to vendor extensions but it should have been submitted to the w3c so they could specify just what a fab icon actually is.
If you can crash a browser then likely a specially crafted Davison could install malware.
By the way soes anyone know how to totally disable iOS autocorrect?
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @03:51PM
<input autocorrect="off" autocapitalize="off">
(Score: 5, Insightful) by WizardFusion on Tuesday June 23 2015, @04:03PM
By the way soes anyone know how to totally disable iOS autocorrect
At the risk of being marked as a troll, don't use apple products.
(Score: 2) by MichaelDavidCrawford on Tuesday June 23 2015, @05:02PM
and led the standards committee that defined a protocol for interapplication text processing.
to me autocorrect is particularly vexing because spellswell and lookup both worked better in the 1980s. apple could have licensed our oem engine rather than coming up with this crud at great expense.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by kaszz on Wednesday June 24 2015, @12:30AM
The licensing conditions for Spellswell perhaps wasn't what Apple liked?
(Score: 3, Touché) by vux984 on Wednesday June 24 2015, @02:11AM
In that they existed? Apple seems more prone to NIH syndrome than many companies I've seen.
(Score: 2) by MichaelDavidCrawford on Wednesday June 24 2015, @05:49AM
we earned our coin selling specialty dictionaries like legal and medical.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by LoRdTAW on Wednesday June 24 2015, @03:17PM
Their version of NIH is to buy out whoever has what they are looking for: https://en.wikipedia.org/wiki/List_of_mergers_and_acquisitions_by_Apple [wikipedia.org]
A good example are their ARM SoC's which are developed by the Intrinsity [wikipedia.org] team. Many people think these big tech companies are magical workshops that spawn awesomeness. When in reality, they just go around buying out the good ideas and consolidating them behind a minefield of patents.
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @05:10PM
I hate this victim-blaming nonsense. You're saying that the way to prevent having your home broken into is to not have a home, and the way to prevent having your stuff stolen is to not own anything. Stop it with this bullshit, its disgusting. It doesn't help anything and just lets everyone know what an asshole you are.
(Score: 5, Informative) by Tramii on Tuesday June 23 2015, @04:20PM
(Score: 4, Informative) by kaszz on Wednesday June 24 2015, @12:48AM
Once upon a time in 1999, Microsoft released Internet Exploiter number 5 and its users in an comatose bliss started to spew requests for /favicon.ico into web server logs. It was like wtf is that for? and then, purpose? and then, aha eye candy for people that are look-new-shiny-bling-bling.
As there is a file format called "ICO" perhaps it's time to specify that as the image format? and then the maximum pixel and filesize?
Seems some browsers have problems displaying large pictures regardless so it could be beneficial to implement some kind of hard limit on images regardless. Like "This image will be 40 000 x 20 000 pixels and using 2.2 GB memory, are you sure you want to display it?" along with free RAM and swap information.
As for standard committees, Microsoft just steamrolls them.
(Score: 1) by ledow on Wednesday June 24 2015, @02:04PM
If your favicon is over 32Kb, we just don't display it.
See how long it takes for everyone to shrink their favicons back to a sensible size or feel the wrath of users who "only get the little default icon on your website, but not your competitor".
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @05:15PM
I wonder if the telcos and anyone else who charges for data is secretly behind this kind of shit. Its to their financial benefit for people to receive large amounts of data without realizing it. The concept of charging for data is absurd enough, especially since you have little control over the data you receive - you can seek out specific things, but a lot of extra garbage always comes with it.
(Score: 3, Funny) by joshuajon on Tuesday June 23 2015, @06:07PM
I think this vulnerability could really use a more serious sounding nickname. How about "Doomhammer" ?
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:05PM
Favanull
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:25PM
Haha, seconded! :D
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @08:56PM
I was angling for Faviolence, as conflating physical harm with digital doings is in now.
(Score: 0) by Anonymous Coward on Tuesday June 23 2015, @10:56PM
Favic*nT
(Score: 2) by M. Baranczak on Wednesday June 24 2015, @12:22AM
(Score: 2, Funny) by Anonymous Coward on Wednesday June 24 2015, @01:21AM
Favikhaaaaaaaaaaaaaaaaaaaaaaan!
(Score: 0) by Anonymous Coward on Wednesday June 24 2015, @01:41PM
Crashicon?
(Score: 3, Funny) by Anonymous Coward on Tuesday June 23 2015, @11:00PM
640k should be enough for everyone!
(Score: 2) by Marand on Wednesday June 24 2015, @06:30AM
640k should be enough for everyone!
For everyone? That's a pretty slim split; we may have to kill a few billion people to get bigger shares.
World War III: battle for the favicons
(Score: 0) by Anonymous Coward on Wednesday June 24 2015, @02:21PM
I can't think of a safer way to transfer information to agents then via cryptic bits appended to the favicon.ico file.
I'll bet the NSA filters out those transfers to save logfile space, too.
Coincidence? You judge.
I smell an inside job. Probably Israeli.
(Score: 0) by Anonymous Coward on Wednesday June 24 2015, @02:35PM
It is a way to get past sloppy network access reviews, I guess secret service level stuff doesn't need this, not in Israel, nor in Somalia.