When A Favicon Becomes The Entire Website

June 21, 2026 by Maya Posch 5 Comments

Putting hidden data in places where few expect it can be a fun hobby or even a professional career. In the case of [Tim Wehrle] it’s just the former. His most recent project in this area uses a favicon image for storing a HTML-based website and rendering its contents within the browser after the favicon has been downloaded.

To pull this off, a very basic HTML page was turned into a series of UTF-8 encoded bytes that were then declared to be a standard PNG image. The original 208 byte payload plus 4-byte PNG header only used part of a 9×9 pixel favicon. With a larger favicon image as typically used you could thus easily store more data, whether as visual noise like here or a bit more hidden.

Of course there’s a catch, and in this case it’s the Typescript code to unpack the bytes from the “image” and render them; you have to load that separately. But still, in these days of all-singing, all-dancing websites that take forever to render, it’s refreshing to see what you can do with so few bytes that they fit in a favicon.

As for the purpose of such an approach, that’s left as an exercise for the reader, but you’re more than welcome to take a poke at the GitHub project and the demonstration site..

This Week In Security: Psychic Paper, Spilled Salt, And Malicious Captchas

May 8, 2020 by Jonathan Bennett 10 Comments

Apple recently patched a security problem, and fixed the Psychic Paper 0-day. This was a frankly slightly embarrasing flaw that [Siguza] discovered in how iOS processed XML data in an application’s code signature that allowed him access to any entitlement on the iOS system, including running outside a sandbox.

Entitlements on iOS are a set of permissions that an application can request. These entitlements range from the aforementioned com.apple.private.security.no-container to platform-application, which tells the system that this is an official Apple application. As one would expect, Apple controls entitlements with a firm grip, and only allows certain entitlements on apps hosted on their official store. Even developer-signed apps are extremely limited, with only two entitlements allowed.

This system works via an XML list document that is part of the signed application. XML is a relative of HTML, but with a stricter set of rules. What [Siguza] discovered is that iOS contains 4 different XML parsers, and they deal with malformed XML slightly differently. The kicker is that one of those parsers does the security check, while a different parser is used for that actual permission implementation. Is it possible that this mismatch could contain a vulnerability? Of course there is.
Continue reading “This Week In Security: Psychic Paper, Spilled Salt, And Malicious Captchas” →