A security researcher has discovered a new steganography method for hiding data inside a Portable Network Graphics (.PNG) image file posted on Twitter, a tactic that could be exploited by threat players to hide malicious activity.
The newly discovered ‘steganography method’ could be exploited by threat players to obscure bad activity inside photos hosted on the social-media platform.
Researcher David Buchanan disclosed his discovery on Twitter earlier this week, accompanied by a photo declaring: “Save this image & change the extension to .zip!”
Source Code
He made the source code for his method available in a ZIP/PNG file attached to the image as well as on a post on GitHub that explains his methodology.
Specifically, Buchanan demonstrated how he could hide both MP3 audio files & ZIP archives within the PNG images hosted on Twitter.
The reason he was successful is because while Twitter removes unnecessary data from PNG uploads, they do not remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded, he explained.
Malicious Files
Buchanan’s discovery is important because threat players have found digital steganography, (art of hiding information inside media), a useful methodology especially for hiding malicious files or other activity, including communication between command & control servers. If his method is successful, it can give attackers another way to hide in hosted images on a widely used social media platform.
The finding also comes after a discovery by researchers at website security firm Sucuri that Magecart attackers began hiding sensitive data they’ve taken from credit cards online inside .JPG files on a website they’ve injected with malicious code.
Requirements
There are some requirements for both the images used to obscure files & the files being hidden inside them for his method to work, Buchanan explained.
“The cover image must compress well, such that the compressed file size is less than (width * height) – size_of_embedded_file,” he wrote in his post. “If the cover image does not have a palette, then it must have at least 257 unique colours (otherwise Twitter will optimise it to use a palette).”
Resolution on images can be up to 4096 x 4096, although Twitter will serve a downscaled version by default for images greater than 680 x 680 depending on certain factors, Buchanan wrote. The image also should not have any unnecessary “metadata chunks,” he added.
Embedded Files
For embedded files, the total output file size must be less than potentially 5MB but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file, Buchanan explained.
Moreover, if the embedded file is a ZIP, then the offsets are automatically adjusted so that the overall file is still a valid ZIP, he commented.
“For any other file formats, you’re on your own,” Buchanan added, noting that many will work without special parameters, including PDF and MP3 files.
Proof of Concept
Bleeping Computer downloaded & followed Buchanan’s instructions for demonstrating the files did & reported the results.
The original 6KB image Buchanan tweeted with the declaration of his finding–once opened & its file format changed to ZIP–contained an entire ZIP archive with his source code that anyone can use to pack miscellaneous contents into a PNG image, according to the report.
Buchanan also posted another photo to Twitter that he asked people to download, renamed to .mp3 & open in the program VLC “for a surprise,” according to Bleeping Computer.
“Never Gonna Give You Up”
When opened, the image file, once turned into an MP3 file using Buchanan’s method, would start playing the song “Never Gonna Give You Up” by Rick Astley, ststes the report.
Buchanan posted yet another file to prove his point, an image of the Bard, William Shakespeare, which he observed is a valid ZIP archive containing a multipart RAR archive with the complete works of Shakespeare embedded within.
The researcher said he tried to report the issue to Twitter’s bug bounty program but was told that it is not actually a bug. “Fair enough, but that just means we can have some fun with it,” Buchanan tweeted.
https://www.cybernewsgroup.co.uk/virtual-conference-april-2021/
