September 27, 2023

A security researcher has discovered a novel steganography technique for hiding data inside a Portable Network Graphics (.PNG) image file posted on Twitter, a tactic that could be exploited by threat actors to hide malicious activity.

He made the source code for his method available in a ZIP/PNG file attached to the image as well as on a post on GitHub that explains his methodology.

Researcher demonstrated how he could hide both MP3 audio files and ZIP archives within the PNG images hosted on Twitter. The reason he was successful is because while Twitter strips unnecessary data from PNG uploads, they don’t remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded, he explained.

This finding is important because threat actors have found digital steganography, or the art of hiding information inside media, a useful method especially for obscuring malicious files or other activity, including communication between command and control servers. If his method is successful, it can give attackers another way to hide in hosted images on a widely used social media platform.

Certain Conditions

There are some requirements for both the images used to obscure files and the files being hidden inside them for his method to work, Buchanan explained.

“The cover image must compress well, such that the compressed filesize is less than (width * height) – size_of_embedded_file,” If the cover image does not have a palette, then it must have at least 257 unique colors .

Resolution on images can be up to 4096 x 4096, although Twitter will serve a downscaled version by default for images greater than 680 x 680 depending on certain factors. The image also should not have any unnecessary “metadata chunks”.

The total output file size must be less than potentially 5MB, but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file.if the embedded file is a ZIP, then the offsets are automatically adjusted so that the overall file is still a valid ZIP.

The original 6KB image tweeted with the declaration of his finding–once opened and its file format changed to ZIP–contained an entire ZIP archive with his source code that anyone can use to pack miscellaneous contents into a PNG image.

Once opened, the image file, once turned into an MP3 file , would start playing the song “Never Gonna Give You Up” .

Researches posted yet another file to prove his point, an image of the Bard, William Shakespeare, which he said is a valid ZIP archive containing a multipart RAR archive with the complete works of Shakespeare embedded within. Researcher tried for a bug bounty but it’s not a open exploit

Leave a Reply

%d bloggers like this: