IP: IE 5 at it again

[Dave Farber <farber () cis upenn edu>]

Date: Fri, 16 Apr 1999 22:11:22 -0700 
From: "Robert David Graham" <rob () netice com> 
Subject: favicon.ico

In case you haven't heard, Microsoft has a new feature in IE 5.0 web 
browser. When you add a website to you "Favorites" (aka. Bookmarks for you 
Netscape users), the browser attempts to download a graphic called 
"favicon.ico", then show that icon along with the title of the webpage.

This has two risks.

First of all, the website owner is notified when you the page to your 
favorites, revealing information about yourself. A discussion of this can be 
found at http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp 
This privacy risk is probably minor, but I've seen several press articles on 
the subject.

The second RISK is much more severe. Go to AltaVista (or any search engine) 
and search for "favicon.ico". You now have a list of 500 websites that 
expose their access logs. In the logs, you can find several websites that 
expose the URLs of CGI scripts, including passwords. Through manual 
searching, I found 2 sites that exposed logon information; I'm sure I can 
write a program that would scan those logs to look for CGI programs and get 
even more. This also exposes even more privacy information because these 
logs often contain the Referer field as well.

This isn't unique to "favicon.ico". The RISK is really:

* people are unintentionally exposing access logs on their web sites, 
exposing user information and possible passwords. 
* hackers can easily find vulnerable systems not by scanning the site itself 
(which can be detected by intrusion detection systems), but by searching a 
3rd party like AltaVista.
Robert Graham 
CTO, Network ICE 
http://www.networkice.com/advice