Vulnerability Focus: Hacking with Pictures
Resolution
The internet is full of photos. It houses many types of photos, but mostly all cat pictures, right?
In the past, the concept of having a photo being something harmful occurred if the extension was not displayed, thus confusing a user who thought that a harmless photo was actually an executable file.
That has all changed. Now with the ability to encode data inside a picture/photo, it opens the door to a whole new way to be attacked. This technique was recently discovered by Saumil Shah of India, which he calls "Stegosploit".
The malicious code or exploit is encoded inside the image’s pixels, which is then decoded using an HTML 5 Canvas element that allows for dynamic, scriptable rendering of images.
This new technique uses Steganography to allow hackers to hide code inside of any photo, which is a frightening thought. This means that any "innocent" looking photo could be hiding a dark secret. Shah did admit that this method might not work everywhere.
See the link below to view this article in more detail:
How to Hack a Computer Using Just An Image
To research further, Endgame.com also has an article that details this subject matter:
https://www.endgame.com/blog/stop-saying-stegosploit-exploit
In the Endgame.com article above it describes the technique Shah used being a "Polyglot" and that this is not as harmful as what is initially thought. This is all just an example of an obfuscation technique that can be used to hide information within images. There is not much to worry about as long as you are patched and have updated antivirus.
As always, I welcome any comments or feedback below.
Thanks for reading,
Joe Delio