Hacker News new | past | comments | ask | show | jobs | submit
BoppreH | parent | next
Oh, that's clever. It's not just hiding the payload in the Exif, it's hiding the fact that the payload came from the network at all, by reading it from the browser cache (presumably after embedding the image into a page the user visited).

So you have a package that doesn't include (directly) malicious code or make network calls, yet it can still run malicious code from the network. This is much better than simple obfuscation because you can vary the payload, like a command-and-control server.

Omni5cience | parent | next
Why is this a link to a random fork that has no commits, rather than the original?
loading story #48469383
loading story #48468753
loading story #48469522
mkoryak | parent | next
I hid my toy vibe coded site's code inside the alpha channel of its logo. https://dogself.com

I probably should have minified it too...

ale42 | parent | next
Weren't similar techniques already used years ago by malvertizers to hide malicious code into images published for ads so it wouldn't be detected? (although it might have been more like steganography)
saghm | parent | next
I'm not sure if this is exactly what you're referring to, but apparently years ago there were exploits bundling JAR files into GIFs to sneakily have them executed by the Java browser plugin: https://en.wikipedia.org/wiki/Polyglot_(computing)#GIFAR_att...
loading story #48468661
rolph | parent
if anything i would use EXIF data to enhance stego.

generally its the JPEG standard that allows the payload, manipulation by abusing EXIF is how you operate the exploit.

there is a 64k file segment specified for JPEG, and you can abuse it to hold any "data" you want, as well as extending to other segments, for more storage.

the raw steganography in most primative form is a comparison of two photos, one of which is pixelshifted to encode the data.

in advanced form, the pixels hold the encrypted data, but the application segments of the JPEG hold keys and or matrix values, and you need a reference image. you can move fairly large volumes of ASCII representation like this before its noticed

you basicly write a webpage that local caches the payload and keys, then abuses EXIF to build and execute an exploit on the target.

porphyra | parent
Mildly annoying how almost everything strips out EXIF data nowadays, in part due to security concerns like this, and then I can't find out what camera, lens, and settings were used to take photos.
loading story #48468300