Thursday, October 13, 2016

favicon.ico Is a Privacy Leak

Robin Linus (via Jeff Atwood):

For most web platforms there’s a way to abuse the login mechanism to detect whether a user is logged in to that service.

[…]

Well, the [Same Origin Policy] is strict for HTML pages, but it allows to receive images from other origins! So if the resource in the next parameter would be an image we could read it from our website. It can’t be any image though. Facebook checks if the URL in the next parameter starts with https://facebook.com. So we need to find an image on facebook.com. Should be easy, right? Actually it isn’t, because facebook hosts almost all images on their CDN servers under the domain fbcdn.net. Though there is one image that you can find on almost every webserver: the good old favicon.ico!

Comments RSS · Twitter

Leave a Comment