Tiny Twitter Thumbnail Tweaked To Transport Different File Types (theregister.co.uk) 45
Security researcher David Buchanan has found that Twitter image uploads can be polyglot files, meaning they can be valid simultaneously in multiple formats, such as a .jpg, a .rar archive and a .zip archive. From a report: Using some Python code he wrote, he created a thumbnail image of William Shakespeare overlaid with the words, "Unzip Me" and posted it to Twitter. The .jpg image is also a valid .zip file, so if you download it, you can unzip it and extract the contents, a multipart .rar archive of the text of Shakespeare's plays. [...] Twitter performs some processing on uploaded images, which has the potential to mess with the data. But Buchanan found that his multi-format file survived this process. It may be that image itself (excluding the rather bulky metadata) is light enough not to trigger any compression or post-upload processing.
Who? (Score:2, Offtopic)
Re: (Score:3)
OPEN ME IN WINAMP
Re: (Score:2)
No, cat is not good enough. This is a more thorough embedding that survives some post processing that a simple concatenation will not.
Twitter preserves image data fairly well (Score:5, Interesting)
A while back I tried posting an image with a hidden steganographic message in it to Twitter and to my surprise the hidden message was preserved and not lost due to recompression. Also, the recent Banksy-style shreded image [twitter.com] I posted to climagic that was basically a corrupted jpg file was preserved pretty well. In other words the corrupted part looks identical to what I see with the original on my own computer. However posting it to Mastodon.social resulted in a reprocessed image with compression artifacts [mastodon.social]
Re: (Score:2)
Do you want to get on a list? That's how you get on a list.
Re: (Score:2)
As an IT Pro... (Score:1)
Re: (Score:1)
Are you saying ...
Social Media IS malware? =P
Re:As an IT Pro... (Score:5, Informative)
No, these are not merely renamed files, these are polyglot files - files that can be other files. But unlike say steganography, they aren't even hidden.
So this guy created a JPEG image that is a valid JPEG image. But inside it he stuffed in a ZIP file that can be extracted using any ZIP utility as-is.
The ability to combine two arbitrary files is relatively limited - ZIP is one of the few file formats that puts the important metadata at the end of the file (and most formats will ignore trailing junk if they encounter it) so you can use the ability of many file formats to create holes to put ZIP data into them (ZIP data is stored as offsets that need not be contiguous, so you can place ZIP data in holes created by the other format).
Re: (Score:2)
> The ability to combine two arbitrary files is relatively limited
I disagree. Any file format that has a "comment" field (or other optional meta data field) can potentially be abused this way. And most non-trivial file formats have something similar to a comment field.
The surprising thing is when sites that host these files -- whether Twitter, Imgur, etc -- don't re-process the images and drop the extra information.
Re: (Score:1)
The surprising thing is when sites that host these files -- whether Twitter, Imgur, etc -- don't re-process the images and drop the extra information.
I'm sure they will soon start to. Remember a few years back when you could extract EXIF tags from images? You rarely can today.
Re: (Score:1)
Basically, ZIP is the offender here. The format is detected from the end of the file not the beginning.
Wanna bet? (Score:2)
0.01 BTC says Twitter uses the image resolution to determine if they mangle it. Which means you can likely embed a significant amount of data before it hits their max upload size.
Re: Wanna bet? (Score:2)
Well, my guess is you'll eventually hit another limit (in bytes uploaded) designed for the largest raster images, like those from 24 MPixel cameras.
Re: (Score:2)
The summary seems to be saying it is a zip of a rar of text.
I guess it is possible the polygot method only works with storage zips and does not work with compression.
For whatever reason, I am inclined to believe the summery got it right as zips of rars, rars of rars, and zips of zips are fairly common to find in downloading files for whatever reason.
Obligatory reference (Score:1)
https://www.nbc.com/saturday-n... [nbc.com]
Re: (Score:2)
I think we can be fairly certain that mime scanners will be designed to stop scanning as soon as possible in all cases. Meaning It will detect the format that uses data at the front. So at least in this case, it would show as a jpg file.