Twitter images can hide up to 3 MB of data, such as ZIP or MP3

Twitter Images Can Hide Up To 3 Mb Of Data.jpg

Twitter images can hide up to 3 MB of data, such as ZIP or MP3

Researcher and programmer David Buchanan demonstrated that images modified with steganography can be uploaded to Twitter. That is, up to 3 MB of data can be placed inside the pictures. As it turns out, the social network does not clean up the images properly.

David Buchanan has attached examples of such images to his posts, in which he hid the ZIP archive with the source code and the MP3 file (the 6 KB image below contains the full archive). Although these PNG files posted on Twitter look like ordinary pictures at first glance, simply uploading and changing their extension is enough to get different content.

“Download the file, rename to .mp3 and open in VLC for a surprise. (Note: make sure you upload the full resolution version of the file, it should be 2048×2048 pixels) “, – He speaks expert.

Image hosted on Twitter (https://pbs.twimg.com/media/Ewo_O6zWUAAWizr?format=png&name=large) has a size of 2.5 MB and actually contains an mp3 file with the track Never Gonna Give You Up by Rick Astley.

The researcher has already published on GitHub the source code for creating such files: tweetable-polyglot-png.

“Twitter usually compresses images, but in some cases it doesn’t. Twitter also tries to remove all irrelevant metadata so that the polyglot files don’t work. But I discovered a new trick: you can append data to the end of the DEFLATE stream (the part of the file where the compressed pixel data is stored) and Twitter won’t delete it, ”Buchanan explained.

The fact that Twitter is not always able to remove extraneous information from images opens up opportunities for attackers to abuse the platform. For example, a PNG file can contain malicious code that makes it easier to manage malware and is necessary for C&C needs. On the other hand, blocking image traffic from Twitter and the pbs.twimg.com domain completely could affect legitimate operations.

The researcher says that he already tried to inform Twitter developers about a similar issue with JPEG files, but then he was told that this is not a security-related bug. Therefore, Buchanan decided not to notify the company about a similar problem with PNG files.

Leave a Reply

Your email address will not be published. Required fields are marked *