I Stored a Website in a Favicon

(timwehrle.de)

63 points | by theanonymousone 1 hour ago

13 comments

Tepix 57 minutes ago
Instead of going via pixels, why not use a SVG favicon and directly store markup inside it and extract it?
Use this favicon.svg:
```
    <svg xmlns="http://www.w3.org/2000/svg">
    <circle cx="50%" cy="50%" r="50%" fill="orange"/>
    <p>hello HN!</p>
    </svg>
```
use this in your <head> to use a svg favicon:
```
    <link id="favicon" rel="icon" href="favicon.svg" type="image/svg+xml">
```
finally, use this in your <body> to extract it and add it to your document body:
```
    <script>
    fetch(favicon.href).then(r => r.text()).then(t => document.body.innerHTML += t.match(/<p[\s\S]*p>/)[0]);
    </script>
```
[-]
- weetii 35 minutes ago
  Hey, yeah, I wrote the article. This (of course) would be more practical. Thanks for pointing it out. I wanted the payload to "live" in actual pixel data rather than hidden text inside an XML file. That’s why I went this way :)
  [-]
  - peter-m80 33 minutes ago
    The ico file format allows multiple resolution icons, so a lot of data
    [-]
    - weetii 28 minutes ago
      Good point, I might add a section in the article where I list alternative approaches. Thanks
Walf 43 minutes ago
PNG has comment chunks tEXt, zTXt, and iTXt. You can have a completely normal image whose file is stuffed with as much content as you want. That is less fun, I suppose.
[-]
- weetii 33 minutes ago
  Yes, that would also work, thanks for pointing it out
sheept 1 hour ago
You can use the favicon cache as storage too, by redirecting users across domains. It's been proposed as a potential fingerprinting risk[0], and if a browser naively reuses the cache for incognito mode, it could be used to track users across browser profiles.
[0]: https://www.schneier.com/blog/archives/2021/02/browser-track...
[-]
- koolala 43 minutes ago
  Wasn't this fixed or mostly fixed?
esquivalience 6 minutes ago
I found the agressively staccato, clearly LLM-generated content extremely difficult to read.
[-]
- scottmcdot 2 minutes ago
  Which bit? The short sentences?
- estetlinus 4 minutes ago
  It’s the new internet. So, so annoying.
franciscop 1 hour ago
Is this timing coincidence? I just submitted 1h (30 mins before this) ago a website I just made about storing your stock porfolio in a URL + favicon!
https://news.ycombinator.com/item?id=48606396
beardyw 35 minutes ago
I would have used a minimal service worker to unpack the web data and present it as if it were just a normal page being loaded.
ab_wahab01 27 minutes ago
Fascinating concept! Thanks for sharing this!
bozdemir 57 minutes ago
Very cool. I wonder is it possible to make a simple game with also leveraging the webassembly?
[-]
- weetii 31 minutes ago
  Yes, probably. I guess, you’d need a bigger favicon since the minimal Rust WASM binary is around 20KB+ (?)
superjose 1 hour ago
Pretty cool tbh!!! Would have loved seeing the decoder code!!!
It's also pretty interesting to think how an attacker could exploit images on his behalf. Never thought that would be a way!!!
Thanks!
[-]
- schobi 1 hour ago
  I guess the decoder is more than the 208 bytes that this page uses..
  But maybe you can misuse this and store a session ID / cookie in a favicon (give everyone a unique one) and survive some cookie cleanup and evade privacy restrictions?
  Maybe you can still make it that the favicon looks like an image a little to not raise suspicion?
  Favicons seem to be cached across private browsing sessions. Oh no
fitsumbelay 33 minutes ago
very cool and interesting after reading just the title I wrongly assumed this would be about svg
jibal 28 minutes ago
Surprised that a minimal "website" only requires a small image = few pixels = few bytes to store it? Um, ok.
shaharamir 39 minutes ago
Amazing!
anujshashimal98 1 hour ago
Great!