Date: Fri, 16 Apr 1999 22:11:22 -0700 >From: "Robert David Graham" Subject: favicon.ico In case you haven't heard, Microsoft has a new feature in IE 5.0 web browser. When you add a website to you "Favorites" (aka. Bookmarks for you Netscape users), the browser attempts to download a graphic called "favicon.ico", then show that icon along with the title of the webpage. This has two risks. First of all, the website owner is notified when you the page to your favorites, revealing information about yourself. A discussion of this can be found at http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp This privacy risk is probably minor, but I've seen several press articles on the subject. The second RISK is much more severe. Go to AltaVista (or any search engine) and search for "favicon.ico". You now have a list of 500 websites that expose their access logs. In the logs, you can find several websites that expose the URLs of CGI scripts, including passwords. Through manual searching, I found 2 sites that exposed logon information; I'm sure I can write a program that would scan those logs to look for CGI programs and get even more. This also exposes even more privacy information because these logs often contain the Referer field as well. This isn't unique to "favicon.ico". The RISK is really: * people are unintentionally exposing access logs on their web sites, exposing user information and possible passwords. * hackers can easily find vulnerable systems not by scanning the site itself (which can be detected by intrusion detection systems), but by searching a 3rd party like AltaVista. Robert Graham CTO, Network ICE http://www.networkice.com/advice