favicon.ico Is a Privacy Leak
Robin Linus (via Jeff Atwood):
For most web platforms there’s a way to abuse the login mechanism to detect whether a user is logged in to that service.
[…]
Well, the [Same Origin Policy] is strict for HTML pages, but it allows to receive images from other origins! So if the resource in the
nextparameter would be an image we could read it from our website. It can’t be any image though. Facebook checks if the URL in thenextparameter starts withhttps://facebook.com. So we need to find an image on facebook.com. Should be easy, right? Actually it isn’t, because facebook hosts almost all images on their CDN servers under the domainfbcdn.net. Though there is one image that you can find on almost every webserver: the good oldfavicon.ico!
