Are cross-domain badges a security risk?

Question

Are cross-domain badges a security risk?

I have a site for articles submitted by users, and the idea I used for this function was to capture an icon on the target site so that it displays along with the link.

The icon capture technique will check the favicon.ico file on the target server. Will this icon be displayed as an image opening any hole? Could there be some kind of malicious badge? Does the image server convert to a different file format a negative risk?

+4

security favicon cross-domain

Derek h Dec 02 '09 at 7:03

source share

4 answers

Confidentiality will be my main concern, as favicons are sometimes used to track who bookmarks a page. At the very least, this would screw up their data, as they would think that more people bookmark them than they actually are.

When browsers use them, the recommended behavior, which, it seems to me, is accepted by the majority now, is to get only an icon when visiting a site and then cache it in the browser. I would do the same server side by extracting the icon when the user submits the article and caches it (and at the same time you can take the opportunity to check that the link is valid, extract the summary, etc.).

+1

tjmoore Dec 02 '09 at 8:21

source share

There is always a risk of including content that you have no control over.

For example, if the image renderer in browser x suffers from a buffer overflow vulnerability, the owner of the site hosting the original image may replace the original icon for a malicious one. Then your users may be infected from your site without your knowledge.

0

Cheekysoft Dec 02 '09 at 12:05

source share

As a complement to other answers, you should be aware that many (most?) Sites these days do not have favicon.ico in their root directory on the Internet, but a tag similar to this in the HTML head :

 <link rel="shortcut icon" href="http://www.example.com/images/icon.png">

If the icon may be in other formats than .ico .

0

Bart van heukelom Oct 08 '10 at 12:48

source share

erickson · Accepted Answer · 2009-12-02T07:19:09+0000

A vulnerability appeared in the JPEG window handler several years ago. It is possible that vulnerabilities may be detected in other formats in the future, but I think that you are safe enough to display it as it is, and be careful to apply patches if the threat is published.

However, in order to protect the privacy of your users, you must cache the icon on your server and allow user browsers to retrieve them from there. On the other hand, some sites may feel that you have violated their intellectual property by displaying their icon on their site. Again, I probably wouldn't worry too much about it until they ask you to stop.

Are cross-domain badges a security risk?

More articles: