What’s so dangerous about looking at a picture file in your web browser?
In the past, nothing. You loaded the image. It displayed on your screen. You closed it, or went to a different page. There was nothing that the picture file itself could do to harm you or your computer.
But now — thanks to the new “Stegosploit” hacking technique presented at the Amsterdam hacking conference Hack In The Box — images files could be set to become a lot more dangerous.
The hacker behind Stegosploit is Saumil Shah, a security researcher from India.
“I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate,” Shah told the conference in May.
It sounds like a serious threat to your online security. And as the technology improves, it could be exactly that.
A Hack Based On Ancient Methods
So what does Shah mean when he says he can “detonate” an image in your browser? What exactly could the Stegosploit do your computer?
To understand, we need to take a closer look at Stegosploit and how it works. The name Stegosploit comes from “steganography,” which is the ancient science of hiding coded information inside other data that looks safe.
An image is the perfect place to hide malicious code — because everyone on the Internet assumes picture files are safe to open.
Shah explains: “Stegosploit lets you deliver existing browser exploits using pictures. The exploit is hidden in plain sight, and you can’t stop what you can’t see.”
The method uses “simple steganography techniques” to encode exploit code into the RGB values inside a picture. A standard HTML 5 method called Canvas, which is supported by all major browsers, is then used to handle the malicious picture file as a piece of JavaScript.
The hidden JavaScript-based exploits can then run in your browser, potentially downloading malware or transmitting your data. You wouldn’t know a thing. All you did was look at a picture!
Stegosploit Attacks In The Wild
Is Stegosploit a threat to your online safety right now? Should you be more careful about which pictures you look at, in case the file is hiding malicious JavaScript?
For the time being, there isn’t too much to worry about.
Stegosploit hacks require you to open picture files that are missing their file extensions, i.e. the file needs to named ‘picture’ instead of ‘picture.jpg.’ Most trusted sites, such as Facebook and Dropbox, don’t let users upload files without extensions.
Many sites also re-process uploaded picture files, which will usually remove Stegosploit code from the image. Phew!
Just The Beginning
But while Stegosploit isn’t a major threat in its current form, it likely represents the start of a new form of hacking with pictures.
“These techniques are coming, sooner or later,” says Shah. “I’m the only one talking about it on stage but I’m sure there are other people that have figured this out.”
Consider yourself warned.
Do you feel an overwhelming responsibility to warn your friends about Stegosploit? Share this story with them!
ExpressVPN’s #WTFWednesday brings you weird, shocking, and creepy stories about data privacy—pulled straight from the news. Think your privacy is yours? Think again. You will feel uncomfortable. You will be outraged. You will think, “WTF?!”
Like this post? Hate it? Read more horror stories about the invasion of your privacy in our #WTFWednesday archive.
