Friday, October 14, 2011

PSA: Disable Blogspot Favicons (PVD re-declared safe)

Check the "icon" box now to add a security vulnerability to your blog, so that your readers can be hit with malware any time any site that you have linked to gets hacked.  Or do not do this.  Blogger opts not to advise you one way or the other.

If you host your blog on Blogger/blogspot and use the default blogroll widget, I strongly advise you to disable the "favicon" display (pictured above).  Users of other platforms are similarly advised to make sure your sites are not displaying blogroll icons.

Yesterday, the popular LOTRO podcast/news site Casual Stroll to Mordor was hacked and redirected to some sort of Russian malware site - see Google safebrowsing for more details. This attack pushed out a malware-tainted "favicon" - that's the little icon you see next to the links in many blogrolls, including the one that runs by default on Blogger/Blogspot - hosted on their site.  As a result, people who visited at least five Blogspot blogs, including Player Versus Developer, may have been exposed to malware.

According to CSTM's backup blog (ironically on Blogspot), the attack was discovered around 9 PM Eastern Wednesday (12 Oct), and they redirected their RSS feed sometime between then and the post (8:30 AM Eastern Thursday, 13 Oct).  Out of an abundance of caution, I'd advise that anyone who visited PVD (via the site, RSS readers should not have been affected) or any other site that links to CSTM between 6 PM 12 Oct and 6 PM 13 Oct (when I learned of the attack and disabled favicons from my blogroll widgets) to scan their computers for malware.  Those of you who also read/visited CSTM during that window are at a correspondingly higher risk. 

I'm not thrilled that this occurred, and I would not have clicked the "show blog icon" button (I think I opted in, though I don't even remember) if I had considered the implications of displaying a remotely hosted image on my blog.  I would strongly advise all of you who use Blogger to go into your blogroll settings panel and DISABLE icons.

The Google Blacklist
The other "fun" part of this is that Google flagged PVD and at least four other blogs as containing malware due to the tainted icons.  Web browsers that check Google's known malware API therefore displayed a warning to attempt to stop users from visiting the affected sites.    On one level, this is a well-intentioned service that Google provides.  On the other hand, I'm somewhat shocked at the power they wield. 

Getting the "suspicious" tag removed required that I register for Google Webmaster tools - never mind that this blog is hosted on a Google-owned site using my Google account - to manually request a review.  Hours after CSTM had been declared no longer suspicious (and after I had removed favicons), PVD remained on the Google blacklist (it was finally declared clean sometime after midnight, at least six hours after I requested the review), even though Google's own diagnostic indicated that the attack originated from CSTM's compromised server.

Maybe they would have automatically re-scanned the sites and declared them clean eventually, but it strikes me as odd that they can blacklist sites without any notice to the site owner.  I could see people who actually make money off their sites being seriously hurt by something like this. 

That said, I suppose a day of effective downtime is a small price to pay for the lesson not to display remotely hosted icons.  


Klepsacovic said...

I turned off icons in my blogroll after I saw your tweet.

Magson said...

Thanks for the info. I've now disabled the icons on my blogspot blog as well.

Straw Fellow said...

Seconded on the removing icons. This is pretty worrisome, that a tiny little image can do that.

Helistar said...

Turned off the icons as well.

I guess we have to thank the whole "active" HTML crap together with Microsoft for this?