Slashdot Mirror
A Photo That Can Steal Your Online Credentials?
TedSamsonIW writes "InfoWorld reports on a new potential ploy for stealing Web user's private information: Researcher has found that by placing a new type of hybrid file on Web sites that let users upload their own images, they can circumvent security systems and take over Web surfers' accounts. 'They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.'"
Or Jafar
Jafar's name seems to be derived from a character named Jafar or Giafar in tales of the Arabian Nights, who is the Vizier to the 9th century Abbasid Caliph Harun al-Rashid; this character in turn was based on a real-life vizier, Ja'far bin Yahya Barmaki. Harun and Giafar were the protagonists of many stories in Arabian Nights, but Giafar was never presented as a villain. Harun did have the real Ja'far bin Yahya Barmaki beheaded after a dispute arising from allegations that Ja'far had engaged in an affair with the Caliph's sister. The original tale of Aladdin, a Syrian story not originally attached to the Arabian Nights, features two characters who correspond to Disney's Jafar. One is an unnamed vizier who is jealous of Aladdin but does not serve as a real villain; the other is the major antagonist, an evil magician from the Maghreb in North Africa who introduces Aladdin to his magical lamp.
...
He is shown to be scholarly and learned in arcane lore, his secret chamber filled with strange devices and stacks of tomes, and, as such, he operates more on the level of an alchemist throughout the film's duration than an actual magician. Instead of casting spells, he relies on previously prepared potions capable of producing magical phenomena...
Now as for taking down some youtube servers using this exploit, while it's unlikely, is definitely more possible. Though I'd imagine their transcoders aren't written to execute code if a supposed videostream is mislabeled.
I agree with the parent, the article is a bit unclear. If I read this correctly:
http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/java_js.html
Unsigned java applets are usually highly sandboxed (they can't even access the DOM) and can only communicate with the server they reside on (e.g facebook webserver). So, wouldn't one need another exploit to get around the VM sandbox before even considering using this?
Sounds familiar...
In the book, Snow Crash, a hacker causes people in their virtual world to "crash" by looking at an animation that works like an executable.
The part I don't get, is that images.somesocialsite.com is presumably sending it as an image/gif mimetype, so why is the browser running it (passing it to the JVM)? This sounds like a browser bug.
I'm guessing you have it backwards. The referencing webpage marks up the file as a Java object. I imagine the GIF part is to get past the socialsite server's image validity tests so that it will agree to host the file.
In my experience, the server should be sending the file with a MINE type of image/gif, so the brwoser should be treating the file as a GIF.
Something I actually tried to do, once:
I uploaded an SVG image to an image hosting website. But, the website, not "knowing" what a SVG file is, sent "Content-type: text/plain". (SVG is XML based, so is actually text.) Several web browsers, including FF and others, dutifully displayed the actual XML text.
I then tried making a webpage included the type attribute, specifiying "xml/xml+svg". The web browsers continued to display the XML text.
Given this observed behavior, I would expect that, when servering up a GIF file, either the server failed to include "Content-type: image/gif", or the browser ignored the contact type from the server. Either of these, IMHO, is a bug.
PS, FYI, I ultimately got the SVG file to be displayed correctly by re-uploading it as an XML file. The server then sent "Content-type: xml/xml" and the web browsers figured out what to do with it.
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
I knew somebody would flame me for my opinion, but look at the facts.
File extensions are, currently, the sole determining factor that Windows machines use to determine what a file is.
That's a shortcoming of Windows, it's not a shortcoming of other systems such as the magic database.
Yes, but extensions aren't interchangeable. Your malicious .exe won't run if you rename it .pdf. It's a safety feature, and it's very useful.
Then why does malicious Java archive run when you rename it .gif? I thought they weren't interchangable?
Furthermore, on the internet, the extension is the only way a user can tell what a file is.
You can't trust something as arbitrary as a filename, extension or content-type given by a remote server. You have to check the file itself. Now I won't expect an end user to do this manually, which is why the magic database is so useful.
Since TFA states that the server thinks the so-called GIFAR is a .gif, it'll send a content-type: image/GIF header. It's dangerous and stupid for the browser to ignore (1) the .gif extension AND (2) the image/GIF content-type and launch Java.
It's fine for the browser to ignore them because the server cannot be trusted to supply the correct information. It's dangerous and stupid for the browser to run Java code without warning, especially if it allows it to be done from inside the img tag because it can know the data is not a valid image by simply checking it first.
I do think it's a flaw of the server to not verify this itself when storing the so-called image, but it's a bigger flaw of the client to trust every server will do this and no single server will abuse it.