The next time someone sends you a link to picture, be it that of a funny cat or a beautiful sunset, be careful before you click on it—it might hack your computer.
That image might look just like another regular image, but thanks to a technique devised by Saumil Shah, a security researcher from India, a hacker could hide malicious code inside the picture’s pixels, literally hiding an exploit in plain sight.
Videos by VICE
The technique is called “Stegosploit” and Shah gave Motherboard a demo of the technique ahead of the talk he gave on Thursday at the Amsterdam hacking conference Hack In The Box.
Shah has found a way to hide malicious code directly into an image using steganography, an ancient technique that consist of stashing secret text or images in a different text or images. In this case, the malicious code or exploit is encoded inside the picture’s pixels, and it’s then decoded using an HTML 5 element called Canvas, which allows for dynamic rendering of images. Shah calls it the “magic sauce” behind Stegosploit.
All he needs to hack someone is an image file, nothing more.
This way, Shah said, all he needs to hack someone is an image file, nothing more.
“I don’t need to host a blog, I don’t need to host a website at all. I don’t even need to register a domain,” Shah told Motherboard during the demo last week. “I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate.”
The malicious code, which Shah calls “IMAJS,” is a mix of image code and javascript hidden into a JPG or PNG file. Shah hides the code within the picture’s pixels, and from the outside, unless you zoom a lot into it, the picture looks just fine.
Shah, who’s been working on this research during his spare time for almost five years, showed me exactly how it works using my own profile picture in a Skype demo. He then prepared a demo video for Motherboard using his own picture as the guinea pig.
In the first video, embedded above, Shah shows step by step how he is able to hide malicious code inside an image file, using steganography.
In this second video, Shah shows how Stegosploit actually works. He has programmed the image to run the exploit when the target opens the image on his or her browser (this technique only works in browsers) and clicks on it (he could program it to run it when the image is loaded too).
Once the target clicks on the image, you can see the computer’s CPU shooting up to 100 percent usage, indicating the exploit worked. The malicious code then sends data from the target’s computer back to the attacker, and creates a text file on the target’s computer that says: “You are hacked!”
I asked Shah to make that text file to theatrically show that a hacker could do practically anything he wants on a victim’s computer using his technique. Shah, however, could have programmed the malicious image to do something more stealthy, such as downloading and installing spyware, or pilfering data out of the victim’s computer.
Image files should not be “presumed innocent” anymore.
For him, the big takeaway here is that image files should not be “presumed innocent” anymore. They can hide malicious code just like PDFs or other types of files that are typically used to deliver an exploit.
Patrick Wardle, the director of research at Synack, who has previously worked at the NSA, said that Stegosploit would be a good way for attackers to bypass detection on some image sharing websites, though advanced scanners should be able to detect an image that contains malicious javascript code.
In any case, for these techniques to work, an attacker still needs to take advantage of a vulnerable (in other words, unpatched) browser, and an exploit that can take advantage of that, according to Ken Westin, a senior analyst at web security company Tripwire.
Shah himself hasn’t fully tested his technique on known image sharing sites such as Imgur or Dropbox, and he admits that it might not work everywhere. The malicious file has to be uploaded without an extension for the browser to be tricked into rendering it, and some sites, such as Dropbox, don’t allow that. Moreover sites like Facebook reprocess the images when they are uploaded, causing the loss of the malicious code, according to Shah.
“These techniques are coming, sooner or later.”
In other words, this is not an easy technique to reproduce, and there’s no evidence it’s been used in the wild yet. Still, Shah believes it’s just a matter of time and that “these techniques are coming, sooner or later.”
“You’re never the only one to figure things out,” he said during our conversation. “I’m the only one talking about it on stage but I’m sure there are other people that have figured this out.”