fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

This Image Looks Very Different on Apple Devices — See for Yourself

This Image Looks Very Different on Apple Devices — See for Yourself

Take a good look at the image below and the device you are on.

Now view it again on an Apple device. Conversely, if you are using an Apple device, view this page on an Android or Windows device.

‘Think different,’ see different

If you are using an Apple device and viewing this page on Safari, chances are the image appears quite differently from what you’d see on, for example, Chrome or an imaging app on Windows.

Reverse engineer and cryptographer David Buchanan might have left us all puzzled with his latest creation:

Also Read: PDPA Breach Penalty Singapore: How Can Businesses Prevent

The mysterious image
The mysterious image that appears different in Apple vs. non-Apple applications

The PNG above reads ‘HELLO WORLD’ for most users—except those who see ‘HELLO APPLE,’ that is, in Apple-made software.

But, believe us, it is the same image a.png, interpreted differently by Apple and non-Apple applications.

In tests by BleepingComputer, on macOS Big Sur 11.6, the latest version of Chrome web browser (96.0.4664.110 (x86_64)) rendered the text in the image as ‘HELLO WORLD’. But, viewing this page on Safari, or the image alone in Mac’s ‘Preview’ app shows ‘HELLO APPLE.’

Image appears differently in Safari and Chrome on macOS
Image appears differently in Safari and Chrome on macOS (BleepingComputer)

In another test by BleepingComputer on an iPhone, however, both Chrome web browser for iOS and Safari showed ‘HELLO APPLE,’ not ‘HELLO WORLD.’

Here’s one more to leave you startled a tad further—do you see an IBM or a Mac below? Once again, view this page with an Apple and non-Apple device:

IBM or Mac?
Do you see an IBM or Mac? (Buchanan)

Why does this happen?

On his website, Buchanan concisely explains the reason and the concept of ‘parallel-decodable PNGs’ that cause ambiguity among software applications.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

Depending on an image renderer’s implementation, the same PNG may be interpreted quite differently.

“I found this while writing my own multi-threaded PNG decoder. While pondering my design, I realised that I had an exploitable implementation bug,” writes the engineer.

“After learning that Apple has their own implementation of parallel-decodable PNGs, I realised that they’d made exactly the same mistake!”

Buchanan discovered that it was possible to craft a PNG file where:decompress(a + b) != decompress(a) + decompress(b)

“This could happen if a ends midway through a non-compressed block. It is therefore possible for an image to have two possible interpretations, depending on whether a parallel or non-parallel decoder decodes it,” further explains Buchanan.

“This can be mitigated by the decoder, by checking that there is no unprocessed data in each piece of the zlib stream. My implementation does not currently do this!”

To demonstrate the peak of possibilities that could be achieved with this ‘mistake,’ Buchanan shared proof-of-concept (PoC) code:

PoC code
PoC code demonstrating how can the same PNG be interpreted differently (BleepingComputer)

The 84-line PoC demonstrates how some image rendering libraries can be tricked into showing the alternate version of an image—the one with the ‘SECRET MESSAGE.’

In fact, the reverse engineer has released a handy tool called ‘Ambiguous PNG Packer‘ on GitHub that lets just about anyone create PNG images that look completely different in Apple software.

In March this year, Buchanan had also demonstrated how Twitter images could be abused to hide 3-MB-large ZIP and MP3 files within.

Now had the end result of this parallel-decoding business been merely an erroneous or corrupted image that wouldn’t render correctly, it would be easier to classify this as a ‘bug.’

But, we wonder, could this become a security risk in some contexts or an attack vector for malicious actors to abuse? The same file seen differently by two entities is bound to cause trouble.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us