Skip to content(if available)orjump to list(if available)

The importance of favicons in website OSINT research

The importance of favicons in website OSINT research

21 comments

·January 20, 2025
Visit

achillean

We released a tool to calculate the favicon hash called "favscan": https://blog.shodan.io/deep-dive-http-favicon/

And here's a map of favicons that Shodan has seen across the Internet: https://faviconmap.shodan.io/

lexicality

I opened the map and immediately saw the (not very big) erect penis in the top right. The curse of having a dirty mind...

jakub_g

Reminds me of Google Safe Browsing capturing color profiles of websites and matching against known phishing websites:

https://blog.chromium.org/2021/07/m92-faster-and-more-effici...

1970-01-01

Not just websites, but anything hosting a favicon. I've used runZero to find vulnerable internal assets that companies swore were no longer an issue.

grajaganDev

Yes, Shodan searches for favicon hashes are a great way to find forgotten and vulnerable assests.

seethishat

This is a pretty neat idea. I like it. However, the inaccuracy of IP geolocation services causes some Amazon AWS IPv6 addresses to appear to be located outside the US when they are not.

I continue to believe that half (or more) of all security reports/warnings are false positives due to inaccuracies such as this.

null

[deleted]

LordDragonfang

I'm coming to the realization that I don't really understand what OSINT is or is not. ("Open Source Intelligence", obviously, but beyond that)

The first time I encountered it was in the context of civilians collecting actionable military intel in the Russia-Ukraine conflict by trolling social media. But now I see people talking about it like it's a career, and see what I would have standard IT security posted under it.

Do people just use it to refer to any sort of civilian information gathering these days? Has IT security just rebranded as OSINT?

nine_k

I'd say it's collecting intelligence-worthy data from publicly available sources. That is, connecting the dots that everyone could connect, were they able to notice them. It does not involve anything but sifting peacefully through public sources.

This is opposed to acquiring data by other means, like breaking into protected systems, stealing classified materials, planting moles, extortion and blackmailing, etc.

soheil

Why would anyone think favicons are worth writing a pseudo-security article about.

1970-01-01

It's not the icon, it's the hash value. If it doesn't match a known hash, you have an imposter. Full stop.

gs17

The "practical example" in the article is the exact opposite of that, it searches for the hash of a known favicon and filters to sites that shouldn't match it but do. It would require a particularly incompetent attacker (or a very contrived case) to not match the favicon of a public website.

praash

No - the point is to quickly detect random websites that simply duplicate known favicons! Matching hashes can only occur in these cases:

- the site is a careless impostor

- the site is the real deal

- a hash collision

1970-01-01

We agree here. The point is to detect imposters via favicon. Case 1 is easy, simple, and a legitimate concern. Case 2 is the inverse of case 1. A host is misconfigured or something. Much harder to detect, but no more important. Case 3 should not exist.

likeabatterycar

If that was true, we could finally abandon PKI and just use favicons...

1970-01-01

Marry the favicon sha256 hash with a list of hostnames and put the values into trusted database..

kevin_thibedeau

This is mostly showing IoT devices that are exposed to the internet.

maxmorlocke

We review the web presence of a business as our core product offering for payment processors, etc. as they look to onboard ecomm merchants. This (and techniques like it) make a great way to find scummy actors and have a proveable piece of evidence as opposed to a 'yea, this looks off' or 'this doesn't fit the profile of what an established business looks like'. We leverage a lot of subtle signals like this.

nunobrito

Quite a mediocre article. Suspicious that it got upvoted but the person posting it doesn't seem to have done with malicious intent.

So, just a waste of time for anyone hoping to see an exploit based on favicons.

grajaganDev

OSINT is not about exploits.

Favicons are very useful for spotting phishing sites and finding forgotten servers.