Security analysts have uncovered a rather different flaw, capable of crashing Firefox, Chrome and Safari, the worlds three largest browsers. The bizarre bug abuses the small Favicon file which is usually around a few kilobytes. However, when crashing the browser with the nasty bug it tries to download a 1GB favicon until the entire browser crashes.
The bizarre bug forces both Firefox and Chrome to download the massive favicon file, and will not stop until the browser crashes or completes rendering the massive gigabyte favicon. What makes this troubling is that the end user is never made aware the file is downloading, meaning there is no way to cancel this. It begins to render and instantly crashes with nothing the user can do about the crash.
Favicons are small icons website owners can choose to add to their website and will appear atop the left of the web browser with an image (ours is a black F and red H). The icon is a measly 16×16 pixels, but when abusing the favicon crash bug, it tries to render images scaled far larger.
Security analyst Benjamin Gruenbaum who worked alongside Andrea De Pasquale managed to download the full 1GB favicon file while in Chrome. For those who don’t know, 1GB is a massive file size for a favicon that is not even supposed to be more than a couple of kilobytes.
The duo were able to replicate the flaw across both touch-icon and favicon files, indicating that both mobile and desktop browsers are affected by the favicon crash bug.
During testing, Gruenbaum concluded that Chrome, Firefox and Safari were the only browsers susceptible to the favicon crash bug. However, Firefox was able to issue patch in less than 48 hours, while the patched version will also be included in their next update.
The existence of the bug should be no shock, as no rule currently governs a forced standard the requires favicons to be below a certain size as it’s the website owners choice.
What’s even more shocking is the favicon file does not have to be a .ico file. Often times favicons are loaded through .gif, .png or .jpeg files and is commonly used among popular websites, as favicons have no limit to extensions. The browser’s job is to simply load the icon and display the image in the top left of your browser bar.
De Pasquale stumbled upon the rather annoying favicon crash bug when he went to a website that rendered a WordPress backup .tar file instead of the usual favicon. He detailed his findings on Twitter:
Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by… pic.twitter.com/4U7412FYkM
— Andrea De Pasquale (@a_de_pasquale) June 11, 2015
This means that browsers currently don’t perform any kind of security checks when it comes to loading favicons, so the browser just assumes the website developer will post the appropriate icon size.
Hopefully the favicon crash bug can be patched soon, as all three of the worlds main browsers are affected and this could lead to massive havoc.