Reporter Packet Storm
`Date: Fri, 16 Apr 1999 22:11:22 -0700
>From: "Robert David Graham" <firstname.lastname@example.org>
In case you haven't heard, Microsoft has a new feature in IE 5.0 web
browser. When you add a website to you "Favorites" (aka. Bookmarks for you
Netscape users), the browser attempts to download a graphic called
"favicon.ico", then show that icon along with the title of the webpage.
This has two risks.
First of all, the website owner is notified when you the page to your
favorites, revealing information about yourself. A discussion of this can be
found at http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp
This privacy risk is probably minor, but I've seen several press articles on
The second RISK is much more severe. Go to AltaVista (or any search engine)
and search for "favicon.ico". You now have a list of 500 websites that
expose their access logs. In the logs, you can find several websites that
expose the URLs of CGI scripts, including passwords. Through manual
searching, I found 2 sites that exposed logon information; I'm sure I can
write a program that would scan those logs to look for CGI programs and get
even more. This also exposes even more privacy information because these
logs often contain the Referer field as well.
This isn't unique to "favicon.ico". The RISK is really:
* people are unintentionally exposing access logs on their web sites,
exposing user information and possible passwords.
* hackers can easily find vulnerable systems not by scanning the site itself
(which can be detected by intrusion detection systems), but by searching a
3rd party like AltaVista.
CTO, Network ICE