David Buchanan has attached examples of such images to his posts, in which he hid the ZIP archive with the source code and the MP3 file (the 6 KB image below contains the full archive). Although these PNG files posted on Twitter look like ordinary pictures at first glance, simply uploading and changing their extension is enough to get different content.
I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous.
The source code is available in the ZIP/PNG file attached: pic.twitter.com/zEOl2zJYRC
– David Vujanan (@ David3141593) March 17, 2021
“Download the file, rename to .mp3 and open in VLC for a surprise. (Note: make sure you upload the full resolution version of the file, it should be 2048×2048 pixels) “, – He speaks expert.
Image hosted on Twitter (https://pbs.twimg.com/media/Ewo_O6zWUAAWizr?format=png&name=large) has a size of 2.5 MB and actually contains an mp3 file with the track Never Gonna Give You Up by Rick Astley.
The researcher has already published on GitHub the source code for creating such files: tweetable-polyglot-png.
“Twitter usually compresses images, but in some cases it doesn’t. Twitter also tries to remove all irrelevant metadata so that the polyglot files don’t work. But I discovered a new trick: you can append data to the end of the DEFLATE stream (the part of the file where the compressed pixel data is stored) and Twitter won’t delete it, ”Buchanan explained.
The fact that Twitter is not always able to remove extraneous information from images opens up opportunities for attackers to abuse the platform. For example, a PNG file can contain malicious code that makes it easier to manage malware and is necessary for C&C needs. On the other hand, blocking image traffic from Twitter and the pbs.twimg.com domain completely could affect legitimate operations.
The researcher says that he already tried to inform Twitter developers about a similar issue with JPEG files, but then he was told that this is not a security-related bug. Therefore, Buchanan decided not to notify the company about a similar problem with PNG files.