While steganography is nothing new, a researcher has taken this technique to the next level. As demonstrated, it is now possible for anyone to hide huge amounts of data in Twitter images that others can download.
Hiding Data In Twitter Images
Reportedly, the researcher David Buchanan shared a technique of hiding huge data as .zip and mp3 files in Twitter images.
Disclosing the details in a tweet, he shared how he hid 3MB of data within a PNG image.
I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous.
The source code is available in the ZIP/PNG file attached: pic.twitter.com/zEOl2zJYRC
— Dаvіd Вucһаnаn (@David3141593) March 17, 2021
The image he uploaded is itself a demonstration of the technique as it includes the source code. To download the source, all a user should do is to download the PNG image, and rename the file extension as “.zip” while saving. This will immediately transform the file format into an archive that can be opened with any archive viewer like WinZip.
In another tweet, he shared another image file that enclosed an audio file within. Retrieving the audio, however, had a limitation of downloading the image in its full resolution.
Download this one, rename to .mp3, and open in VLC for a surprise. (Note: make sure you download the full resolution version of the file, should be 2048x2048px) pic.twitter.com/x2J88xkBhd
— Dаvіd Вucһаnаn (@David3141593) March 17, 2021
The reason why he boastfully shared this technique is that this type of steganography escapes Twitter detection.
Regarding how this works, a Google engineer has explained that it involves adding data to the Image Data chunk of PNG.
A PNG is made of [Length Type Value CRC] chunks.
A basic PNG contains the following chunk types:
IHDR (PLTE) IDAT IEND – in that order.Appended data to the IDAT chunk's is preserved by Twitter – after the Zlib content. pic.twitter.com/7EJtw7ynyB
— ? Ąż 杏 (@angealbertini) March 17, 2021
No Fix For Now
While the technique looks harmless, it actually hosts a great potential for abuse.
Given the frequency of image sharing on Twitter, a threat actor can easily exploit this technique to start a massive malware campaign. Particularly, when the exact source for executing the technique is available, and that Twitter cannot sanitize these images at present.
Also, according to Bleeping Computer, the researcher didn’t formally disclose the bug to Twitter. As per his statement,
I reported my original JPEG-based trick to Twitter’s bug bounty program, but they said it wasn’t a security bug, so I didn’t bother reporting this one to them.
Whereas, regarding the potential abuse of this technique, he commented,
I don’t think this technique is particularly useful for attackers, because more traditional image steganography techniques are easier to implement (and even more stealthy).
But maybe it could be used as part of a C2 system, for distributing malicious files to infected hosts.
Let’s see if Twitter addresses this matter soon.