fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Twitter Images Can Be Abused To Hide ZIP, MP3 Files — Here’s How

Twitter Images Can Be Abused To Hide ZIP, MP3 Files — Here’s How

Yesterday, a researcher disclosed a method of hiding up to three MB of data inside a Twitter image.

In his demonstration, the researcher showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter.

Although the art of hiding non-image data in images (steganography) isn’t novel, the fact that the images can be hosted on a popular website like Twitter and are not sanitized opens up a possibility for their abuse by malicious actors.

An image that sings…

Yesterday, researcher and programmer David Buchanan attached example images to his tweets that had data such as entire ZIP archives and MP3 files hidden within. 

Although the attached PNG files hosted on Twitter represent valid images when previewed, merely downloading and changing their file extension was enough to obtain different content from the same file.

Also Read: Data Protection Officer Singapore | 10 FAQs

twitter hosting images with ZIP and MP3
An example image file posted by Buchanan to Twitter contains a ZIP archive within
Source: Twitter

As observed by BleepingComputer the 6 KB image tweeted by the researchercontains an entire ZIP archive.

The ZIP contains Buchanan’s source code that anyone can use to pack miscellaneous contents into a PNG image.

source code ZIP within image
The PNG image tweeted by Buchanan has the structure of a valid ZIP file
Source: BleepingComputer

For those who prefer the slightly-less hands-on approach, the researcher has also provided source code for generating what he calls tweetable-polyglot-png files on GitHub.

In another example uploaded to Twitter, Buchanan tweeted an image that could sing.

“Download this one, rename to .mp3, and open in VLC for a surprise. (Note: make sure you download the full resolution version of the file, should be 2048x2048px),” said the researcher. 

As tested by BleepingComputer, the picture located at the Twitter image server below is approximately 2.5 MB in size and can be saved with a “.mp3” extension. https://pbs.twimg.com/media/Ewo_O6zWUAAWizr?format=png&name=large

Once opened, the image file, now turned MP3, would start playing the song Never Gonna Give You Up by Rick Astley.

“Twitter does compress images, most of the time, but there are some scenarios where they don’t.”

“Twitter also attempts to strip any non-essential metadata, so any existing ‘polyglot file’ techniques wouldn’t work.”

“The new trick which I discovered, is that you can append data to the end of the ‘DEFLATE‘ stream (the part of the file that stores the compressed pixel data), and Twitter will not strip it,” Buchanan told BleepingComputer in an email interview.

Open to abuse by stealthy threat actors

Steganography techniques are often leveraged by stealthy threat actors as they enable them to hide malicious commands, payload, and other content in ordinary-looking files, such as images.

Just yesterday, BleepingComputer reported on a new exfiltration technique using which cybercriminals were hiding stolen credit card data in JPG images.

The fact that Twitter may not always strip extraneous information from an image, as demonstrated by Buchanan, opens up room for the platform’s abuse by threat actors.

Moreover, what poses an additional challenge is blocking Twitter image traffic may impact legitimate operations.

For example, a network administrator blocking Twitter’s image domain pbs.twimg.com would also cause legitimate images hosted on Twitter to be blocked.

That being said, Buchanan believes his PNG image proof-of-concept technique may not be particularly useful by itself as more steganography methods are viable.

“I don’t think this technique is particularly useful for attackers, because more traditional image steganography techniques are easier to implement (and even more stealthy).”

However, more likely than not, the PNG technique demonstrated by the researcher could be used by malware for facilitating its command-and-control C2 activities.

“But maybe it could be used as part of a C2 system, for distributing malicious files to infected hosts,” Buchanan further told BleepingComputer.

Likewise, because Twitter may be considered a safe host by network monitoring systems, malware distribution via Twitter using such image files remains a viable method for bypassing security programs.

When asked if Twitter was aware of this bug, the researcher told BleepingComputer:

“I reported my original JPEG-based trick to Twitter’s bug bounty program, but they said it wasn’t a security bug, so I didn’t bother reporting this one to them.”

In his example from 2018, as reported by BleepingComputer, Buchanan had tweeted a tiny JPG thumbnail that contained Project Gutenberg’s huge collection of The Complete Works of William Shakespeare.

Also Read: A Look At Practitioner Certificate In Personal Data Protection

entire William Shakespeare works in JPG
 The Complete Works of William Shakespeare stored in a tiny JPG file on Twitter
Source: BleepingComputer

Previously, attackers have misused legitimate services like Imgur to host their images which were later used to calculate malicious Cobalt Strike payload. 

BleepingComputer has reached out to Twitter for comment before publishing this article but we have not heard back yet.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us