While steganography is nothing new, a researcher has taken this technique to the next level. As demonstrated, it is now possible for anyone to hide huge amounts of data in Twitter images that others can download.
Hiding Data In Twitter Images
Reportedly, the researcher David Buchanan shared a technique of hiding huge data as .zip and mp3 files in Twitter images.
Disclosing the details in a tweet, he shared how he hid 3MB of data within a PNG image.
The image he uploaded is itself a demonstration of the technique as it includes the source code. To download the source, all a user should do is to download the PNG image, and rename the file extension as “.zip” while saving. This will immediately transform the file format into an archive that can be opened with any archive viewer like WinZip.
In another tweet, he shared another image file that enclosed an audio file within. Retrieving the audio, however, had a limitation of downloading the image in its full resolution.
The reason why he boastfully shared this technique is that this type of steganography escapes Twitter detection.
Regarding how this works, a Google engineer has explained that it involves adding data to the Image Data chunk of PNG.
No Fix For Now
While the technique looks harmless, it actually hosts a great potential for abuse.
Given the frequency of image sharing on Twitter, a threat actor can easily exploit this technique to start a massive malware campaign. Particularly, when the exact source for executing the technique is available, and that Twitter cannot sanitize these images at present.
Also, according to Bleeping Computer, the researcher didn’t formally disclose the bug to Twitter. As per his statement,
I reported my original JPEG-based trick to Twitter’s bug bounty program, but they said it wasn’t a security bug, so I didn’t bother reporting this one to them.
Whereas, regarding the potential abuse of this technique, he commented,
I don’t think this technique is particularly useful for attackers, because more traditional image steganography techniques are easier to implement (and even more stealthy).
But maybe it could be used as part of a C2 system, for distributing malicious files to infected hosts.
Let’s see if Twitter addresses this matter soon.