[PM-36584] Bidirectional C2 in icons.bitwarden.net#7668
Conversation
🤖 Bitwarden Claude Code ReviewOverall Assessment: APPROVE Reviewed the PNG/ICO metadata stripping added to Code Review DetailsNo new findings. All four prior review threads (fail-open → fail-closed on malformed PNG chunks, dead The |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7668 +/- ##
==========================================
+ Coverage 59.98% 60.09% +0.11%
==========================================
Files 2133 2132 -1
Lines 93731 93985 +254
Branches 8311 8355 +44
==========================================
+ Hits 56220 56479 +259
+ Misses 35531 35514 -17
- Partials 1980 1992 +12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
|
RE: https://thecontractor.io/bitwarden-c2/ just an FYI this doesn't prevent the proxy from being used as a C2 channel. Attackers can still:
I recommend you follow the other recommendations provided in John Carroll's article as well as the technique used by 1password, which appears to have a large cached list of favicons that only get populated when multiple different users request favicon for the same domain. |



🎟️ Tracking
jira
📔 Objective
strip PNG metadata chunks
In IconLink.cs, FetchAsync just returns the raw bytes. Before we hand them back, we should walk the PNG chunk list and only keep the ones we actually need for rendering:
Keep: IHDR, PLTE, IDAT, IEND, tRNS, sRGB, gAMA, cHRM
Drop everything else. That kills tEXt/iTXt/zTXt and anything else an attacker might try. PNG chunk structure is simple (4-byte length, 4-byte type, data, CRC). Apply the same logic to PNG frames embedded inside ICO files.
Also drop SVG support from the proxy