1. Computing

Discuss in my forum

Are favicons a security risk?

By

Question: Are favicons a security risk?

Favicons, the little icons that appear beside the URL in the browser bar, have been cause for concern by customers. There is a feeling that they could allow website owners to track their bookmarking, install malicious software, or hide the real URL of the site being visited.

Answer:

Over the years, there have been a few security issues for customers when using a favicon, but the browser manufacturers are very vigilant about patching their browsers when they find them. As long as you and your customers keep your browsers up-to-date, favicons are a useful tool, not a security risk.

There are a few things you should be aware of regarding favicons and security and privacy issues.

  1. Do not use JavaScript to call your favicon.ico file or write the LINK tag with JavaScript. Hackers could use this to run or install malicious software. (Source Mozilla Foundation Security Advisory 2005-37)
  2. There is an issue with the Opera browser 7.5 (and lower) that allows information to be spoofed through the favicon. Malicious site owners can create a favicon that completely covers the real URL of the site being visited, making readers think that they are visiting a safe location, when they are really going to a malware site. This won't affect website favicons that you use, but could put you at risk if you use those older versions of Opera. (Source: Secunia)
  3. When IE first started supporting favicons, it would send a loggable request whenever a favicon was accessed by a bookmark. This made it possible for web developers to track who was bookmarking their pages and when they were accessing the bookmarks. Internet Explorer has since fixed this issue. Plus, favicons are used in the browser's address bar as well, so every time a page is accessed the favicon is loaded. This effectively masks any bookmark requests.
  4. Safari 1 for Windows and Macintosh had an issue where it would load the favicon image, even if images were turned off in the browser. This has been fixed in subsequent versions of Safari. (Source: The Joshmeister on Security)

©2014 About.com. All rights reserved.