Stegosploit – Computers hacked by viewing an image? Nope!

Steganography Cat

Stegosploit – Computers hacked by viewing an image? Nope!

A new attack recently was published with multiple new agencies saying that by using Stegosploit just an act of viewing an image in a browser can hack your system. When I first read this it seems scary because any site which hosted user generated images would be vulnerable to XSS attacks. (Hint: It isn’t)

A little background on the subject. What the author of the exploit Saumil Shah suggests on

[us_testimonial author=”Saumil Shah” company=”Net Square”]I don’t need to host a blog, I don’t need to host a website at all. I don’t even need to register a domain,” Shah told Motherboard during the demo last week. “I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate.[/us_testimonial]

Some definitions so that we are all on the same page.

What is Steganography?

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography combines the Greek words steganos (στεγανός), meaning “covered, concealed, or protected”, and graphein meaning “writing” – source

What is Obfuscation?

Obfuscation, in general, describes a practice that is used to intentionally make something more difficult to understand. In an programming context, it means to make code harder to understand or read. – Source

Now lets break down what the author is trying to say here.

  1. The user downloads/views an image like he would normally.
  2. The browser then executes the image as a JavaScript to run a known exploit.
  3. The browser run the decoder script found in the image and then runs it.

Points 1 and 3 are perfectly good and safe. But I almost leaned forward from my chair when I heard read point 2. Something was not right. I dug a little deeper and found the author’s main paper where he describes the attack in a little more detail.

Generally all images are inserted in an <img> tag in a HTML page. A JavaScript is inserted as a <script>.

On further examination the author is actually injecting his modified image in a script tag like

<script src=”cat.png”>

Boom! this is where it all goes south! If you already have access to the <script> tag then you can inject even a .js file or any other JavaScript. What this exploit does is obfuscation via steganography and nothing more.

All the articles you have read stating otherwise is sensationalism and blowing nothing but hot air.

Rest assured you can continue to view and search for pictures of cute cats.

Related Posts

No results found.

Have something to add?

Loading Facebook Comments ...
Loading Disqus Comments ...