Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Photo That Can Steal Your Online Credentials?

Posted by ScuttleMonkey on from the free-fear-mongering dept.

TedSamsonIW writes "InfoWorld reports on a new potential ploy for stealing Web user's private information: Researcher has found that by placing a new type of hybrid file on Web sites that let users upload their own images, they can circumvent security systems and take over Web surfers' accounts. 'They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.'"

8 of 235 comments (clear)

  1. I thought only Windows did this: by CustomDesigned · · Score: 4, Insightful

    The mime type says "GIF", but if it looks executable, try to run it anyway. Or maybe it is just Windows. TFA didn't mention which software does this (other than "the browser"). At one point they blame Sun. Huh? Does the GIF have an applet tag? Or does this attack involve running a malicious applet at evil.com, which then loads a JAR from facebook.com (which was uploaded as a GIF) and the JRE runs it as if it came from facebook. *That* would be a Sun problem (and not a "browser" problem).

  2. Thumbnails by omnichad · · Score: 2, Insightful

    What site doesn't resize the uploaded image for display? That wouldn't result in "compressed code" it would just be an image.

  3. YouTube? by LM741N · · Score: 2, Insightful

    I am very curious whether some similar type of exploit could be used on YouTube uploads. Well, I guess we'll know soon.

  4. Workarounds for websites by ak_hepcat · · Score: 4, Insightful

    * resize the image
    * crop the image 1x1 pixel smaller
    * convert the GIF(ar) to PNG or JPG
    * optimize the GIF file
    * shrink/reorder the color palette
    * edit the comments

    Gosh.. really, anything that affects the actual data package, but doesn't visibly hamper valid pictures.

    --
    Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
    1. Re:Workarounds for websites by ignoramus · · Score: 2, Insightful

      You're right, of course. Problem is mainly that it's one of those "if everybody does X, all will be fine" solutions.

      Right now, all sites that provide for image uploads would need to act or all users would have to disable Java. Reminiscent of the recent DNS caching issue, or 3/4 of the proposed solutions for spam... there's a long turnaround, if it works out at all.

      And if we somehow made the applet file format different, more strict to avoid it masquerading as another file type, how would that affect the jillion existing applets? Not sure if a simple solution exists.

  5. and the fix is also known by SmallFurryCreature · · Score: 3, Insightful
    Just check your ANY and ALL date the user submits for validity. That INCLUDES images. In this case, simply recode the image and foila, it will strip the padded info and all is well.

    NEVER EVER TRUST ANY DATA THE USER SUBMITS!

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  6. Re:Mmhhmm....those pesky details... by sakdoctor · · Score: 2, Insightful

    How is password protection security through obscurity? I can think of no case where this is true.

  7. Re:I can haz ur eebay de-tails? by mopower70 · · Score: 3, Insightful

    Also, I hate to get on my soapbox, but file extensions are a good thing. In this case, the extension is the only thing that the user has to tell them what sort of content is being delivered... when the file type doesn't match the extension (or MIME type), the browser should complain. This "magic" stuff where the extension is ignored is dangerous.

    Then please don't because you have no idea what you're talking about. File extensions are arbitrary, irrelevant, meaningless naming conventions based on absolutely nothing, while "magic" is determined by examining the actual contents of the file.

    If you understood what you were talking about and you wanted to label anything "dangerous", you'd be saying that relying on file extensions to convey any serious information about the content of the data is stupid and potentially dangerous. I can name a file anything I want. It at least takes a little bit of work to fiddle with the magic signature without corrupting the file's contents.