Steganography is the interesting but potentially dangerous technique of hiding data or malware code secretly within an ordinary, non-secret file or message to avoid detection. The use of steganography can be combined with encryption as an extra step for hiding or protecting data. Steganography can be used to conceal almost any type of digital content, including text, image, video, or audio content; the data to be hidden can be hidden inside almost any other type of digital content.
The practice of adding a watermark, trademark, or other identifying data hidden in multimedia or other content files, is one common use of steganography. For example, watermarking is used by publishers to identify their source material shared without their permission. Pedophiles use steganography to hide illegal child pornography inside image files. Hackers transport malware inside otherwise safe-looking files, and finally, insider attackers ex-filtrating stolen intellectual property from company’s using steganography.
Twitter’s Potential Issue
A researcher and developer by the name of David Buchanan revealed a method of hiding up to three MB of data inside a Twitter image. In his demonstration, he showed both MP3 audio files and ZIP archives contained within the PNG images hosted on Twitter. The art of steganography isn’t brand new, but the fact that the images can be hosted on a popular website like Twitter opens up a possibility for their abuse by malicious actors.
Although the attached PNG files hosted on Twitter represent valid images when previewed (below), merely downloading and changing their file extension was enough to obtain different content from the same file.
As observed by CyberHoot, the 6 KB image tweeted by the researcher contains an entire ZIP archive. The ZIP file contains Buchanan’s source code that anyone can use to pack miscellaneous contents into a PNG image. For those who’d rather go directly to the file download, the researcher provided source code for generating what he calls ‘tweetable-polyglot-png’ files on GitHub.
In another example uploaded to Twitter, Buchanan tweeted an image that could sing.
“Download this one, rename to .mp3, and open in VLC for a surprise. (Note: make sure you download the full-resolution version of the file, which should be 2048x2048px),” said the researcher. As tested by CyberHoot, the picture located at the Twitter image server below is approximately 2.5 MB in size and can be saved with a “.mp3” extension.
Once opened, the image file, now turned MP3, would start playing the song Never Gonna Give You Up by Rick Astley.
It’s Open For Hackers To Exploit, What Now?
While this tactic is potentially harmful, it does require ‘user input’ for the attack to deploy. The researcher mentioned it’s not necessarily an immediate threat to businesses or everyday users, but without Twitter working to remediate the issue it can get much worse with time.
In the meantime, there are other things your business can do to stay secure. For the average small to medium-sized business (SMBs), steganography does not provide an extreme risk. The discovery of steganographic file usage is incredibly difficult, expensive, and does not often yield the results of what was encrypted and embedded within the files in question. Since most SMBs have many larger holes through which their data can exfiltrate, it is enough to know that these techniques exist. SMBs should instead focus their limited resources on the largest risks they face: a lack of employee awareness on common attack vectors like phishing attacks and weak or poor password hygiene. Address these two critical issues and your SMB will have addressed two of the largest risks they face and the reason why they’re attacked 15x more often.