[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Robert David Graham on IE5 security problems

To: Multiple recipients of list RANDOM-BITS <random-bits@essential.org>
Subject: Robert David Graham on IE5 security problems
From: James Love <love@cptech.org>
Date: Mon, 19 Apr 1999 18:40:27 -0400
Organization: http://www.cptech.org
Sender: jamie@essential.org

More on risks of IE5. jl

-----------------------------
Subject: IP: IE 5 at it again
   Date: Mon, 19 Apr 1999 02:48:53 -0400
  From: Dave Farber <farber@cis.upenn.edu>
    To: ip-sub-1@admin.listbox.com

Date: Fri, 16 Apr 1999 22:11:22 -0700 
From: "Robert David Graham" <rob@netice.com> 
Subject: favicon.ico

In case you haven't heard, Microsoft has a new feature in IE 5.0 web 
browser. When you add a website to you "Favorites" (aka. Bookmarks for
you 
Netscape users), the browser attempts to download a graphic called 
"favicon.ico", then show that icon along with the title of the webpage.

This has two risks.

First of all, the website owner is notified when you the page to your 
favorites, revealing information about yourself. A discussion of this
can be 
found at
http://msdn.microsoft.com/workshop/essentials/versions/ICPIE5.asp 
This privacy risk is probably minor, but I've seen several press
articles on 
the subject.

The second RISK is much more severe. Go to AltaVista (or any search
engine) 
and search for "favicon.ico". You now have a list of 500 websites that 
expose their access logs. In the logs, you can find several websites
that 
expose the URLs of CGI scripts, including passwords. Through manual 
searching, I found 2 sites that exposed logon information; I'm sure I
can 
write a program that would scan those logs to look for CGI programs and
get 
even more. This also exposes even more privacy information because these 
logs often contain the Referer field as well.

This isn't unique to "favicon.ico". The RISK is really:

* people are unintentionally exposing access logs on their web sites, 
exposing user information and possible passwords. 
* hackers can easily find vulnerable systems not by scanning the site
itself 
(which can be detected by intrusion detection systems), but by searching
a 
3rd party like AltaVista.
Robert Graham 
CTO, Network ICE 
http://www.networkice.com/advice

-- 
James Love, Director, Consumer Project on Technology
I can be reached at love@cptech.org, by telephone 202.387.8030,
by fax at 202.234.5176. CPT web page is http://www.cptech.org

Prev by Date: FTC Note regarding Consumer Protection in a Global Market
Next by Date: TACD meeting
Prev by thread: FTC Note regarding Consumer Protection in a Global Market
Next by thread: TACD meeting
Index(es):
- Date
- Thread