A 10GB+ Favicon Bug Icon Keeps Downloading Until It Crashes Your Web Browser
Andrea De Pasquale, security analyst and software developer recently spotted a bug that can actually crash Firefox and Chrome browsers. The small little icon termed as Favicon can actually crash your web browser apparently if you attempt to download files more than 10GB. The favicon icon is usually only a few kilobytes in size.
Andrea De Pasquale posted a tweet saying,
“Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by.”
This creepy bug makes Chrome and Firefox download the huge favicon files to the point till they crash the browser. The silliest part is that the users are not at all aware of this download as it is all done in the background and who is truly to be blamed for this.
Favicon is an icon or a symbol image of a website, which is shown on the top left corner of the web browser. A Favicon is precisely 16X16 in size, but it looks like the bug has come from a favicon file which is incorrectly sized.
In more thorough tests performed by Benjamin Gruenbaum, a Google Chrome browser before crashing managed to download up to 10GB of a favicon file. In other words, it means that it could download up to two DVDs along with some information before finally taking over the browser and crashing it down.
The bug was reproduced with both touch-icon and favicon files, which indicated that both mobile and desktop browsers are vulnerable to it.
Safari and Firefox browsers are also susceptible to this. However, the good news is that Firefox has already corrected this issue in less than two days. Also, a patched version will be available with its next update.
Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit.
As a matter of fact, the favicon files need not have to be .ico files. A lot of GIF, PNG or JPEG files are used with popular websites, and there are no limitations linked to the file’s extension.
Initially discovered by De Pasquale, the bug was spotted when he went into a website that sent a WordPress backup .tar file instead of the favicon.
This implies that as browsers do not perform any kind of security checks, you can pass any type of file as your favicon with the trust that the website’s developers do not deliver anything “else” (to be read as “dangerous”).
Hopefully, the bug issue is expected to be fixed soon, as reports have been filed with all three browsers. In the meanwhile, it is just another illustration of how computers are not just one of the most powerful tools we have, but also lacks common sense.