A Photo That Can Steal Your Online Credentials?

← Back to Stories (view on slashdot.org)

A Photo That Can Steal Your Online Credentials?

Posted by ScuttleMonkey on Friday August 1, 2008 @07:20AM from the free-fear-mongering dept.

TedSamsonIW writes "InfoWorld reports on a new potential ploy for stealing Web user's private information: Researcher has found that by placing a new type of hybrid file on Web sites that let users upload their own images, they can circumvent security systems and take over Web surfers' accounts. 'They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.'"

41 of 235 comments (clear)

I can haz ur eebay de-tails? by Channard · 2008-08-01 07:23 · Score: 5, Funny

Just imagine - something as innocent as lolcats could be a potential minefield. God only knows what goatse would do.
1. Re:I can haz ur eebay de-tails? by Anonymous Coward · 2008-08-01 07:25 · Score: 4, Funny
  
  4chan is fucked, /b/ is going to spend all day trying to hack eachother.
2. Re:I can haz ur eebay de-tails? by ya+really · 2008-08-01 07:30 · Score: 3, Informative
  
  Just imagine - something as innocent as lolcats could be a potential minefield. God only knows what goatse would do
  There's no actual pictures involed though, just a java applet masquerading as a gif file to the browser (so no kitties harmed). Now, they could give a user a link saying, "Here bez sum picz of lolcatz, come lookz," which would then cause them to "download" what they think is a gif (though it will never show an image). I'm not sure about others, but I tell my browsers to ignore java. Anything written as a java applet is not worth viewing anyways, aside from security risks.
3. Re:I can haz ur eebay de-tails? by X0563511 · 2008-08-01 07:35 · Score: 3, Informative
  
  Wait, aren't they doing that already? Well, between faps anyways...
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
4. Re:I can haz ur eebay de-tails? by odiroot · 2008-08-01 07:45 · Score: 4, Funny
  
  You broke rules 1 & 2.
5. Re:I can haz ur eebay de-tails? by The+Ultimate+Fartkno · 2008-08-01 08:10 · Score: 4, Funny
  
  God only knows what goatse would do.
  Talk about a gaping security hole...
6. Re:I can haz ur eebay de-tails? by gd2shoe · 2008-08-01 08:26 · Score: 2, Informative
  
  Who says it wont display an image? An applet can render an image and do nothing else. Most users wouldn't know that it was an applet. If the users can anticipate there being an image in that location (often, not always) then it makes sense to keep the subterfuge going.
  
  --
  I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
7. Re:I can haz ur eebay de-tails? by MozeeToby · 2008-08-01 08:32 · Score: 2, Informative
  
  I think you've misunderstood what the hack is doing here. It isn't someone posting a picture which, when downloaded, infects your computer. This is you uploading a picture which infects the server the next time it is viewed. Basically, it looks like a gif when you upload it, but when the server goes to display the image next time it sees java code instead and runs it; theoretically allowing you to craft a java applet that can pull information off of their servers.
  I say theoretically because there's still a quite a few barriers to get this to work, or at least there should be if they've set up their server environment at all correctly.
8. Re:I can haz ur eebay de-tails? by clone53421 · 2008-08-01 09:00 · Score: 4, Informative
  
  There's no actual pictures involed though, just a java applet masquerading as a gif file to the server (so no kitties harmed).
  You're slightly mistaken. The server thinks it's a GIF; the browser figures out that it's actually an applet and starts Java. Since it's coming from the same server, the applet is able to interact with the rest of the page and see the site's cookies, and it can then transmit whatever stuff it discovers to a third party. As you said, not having the Java plugin would thwart the attack.
  Also, I hate to get on my soapbox, but file extensions are a good thing. In this case, the extension is the only thing that the user has to tell them what sort of content is being delivered... when the file type doesn't match the extension (or MIME type), the browser should complain. This "magic" stuff where the extension is ignored is dangerous.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
9. Re:I can haz ur eebay de-tails? by sexconker · 2008-08-01 09:32 · Score: 2, Funny
  
  Big fat java loading icon might tip some people off.
10. Re:I can haz ur eebay de-tails? by mopower70 · 2008-08-01 10:00 · Score: 3, Insightful
  
  Also, I hate to get on my soapbox, but file extensions are a good thing. In this case, the extension is the only thing that the user has to tell them what sort of content is being delivered... when the file type doesn't match the extension (or MIME type), the browser should complain. This "magic" stuff where the extension is ignored is dangerous.
  Then please don't because you have no idea what you're talking about. File extensions are arbitrary, irrelevant, meaningless naming conventions based on absolutely nothing, while "magic" is determined by examining the actual contents of the file.
  If you understood what you were talking about and you wanted to label anything "dangerous", you'd be saying that relying on file extensions to convey any serious information about the content of the data is stupid and potentially dangerous. I can name a file anything I want. It at least takes a little bit of work to fiddle with the magic signature without corrupting the file's contents.
11. Re:I can haz ur eebay de-tails? by Rob+Kaper · 2008-08-01 13:26 · Score: 2, Interesting
  
  I knew somebody would flame me for my opinion, but look at the facts.
  File extensions are, currently, the sole determining factor that Windows machines use to determine what a file is.
  That's a shortcoming of Windows, it's not a shortcoming of other systems such as the magic database.
  
  Yes, but extensions aren't interchangeable. Your malicious .exe won't run if you rename it .pdf. It's a safety feature, and it's very useful.
  Then why does malicious Java archive run when you rename it .gif? I thought they weren't interchangable?
  
  Furthermore, on the internet, the extension is the only way a user can tell what a file is.
  You can't trust something as arbitrary as a filename, extension or content-type given by a remote server. You have to check the file itself. Now I won't expect an end user to do this manually, which is why the magic database is so useful.
  
  Since TFA states that the server thinks the so-called GIFAR is a .gif, it'll send a content-type: image/GIF header. It's dangerous and stupid for the browser to ignore (1) the .gif extension AND (2) the image/GIF content-type and launch Java.
  It's fine for the browser to ignore them because the server cannot be trusted to supply the correct information. It's dangerous and stupid for the browser to run Java code without warning, especially if it allows it to be done from inside the img tag because it can know the data is not a valid image by simply checking it first.
  I do think it's a flaw of the server to not verify this itself when storing the so-called image, but it's a bigger flaw of the client to trust every server will do this and no single server will abuse it.
At last, after all my years of searching... by Paradigm_Complex · 2008-08-01 07:27 · Score: 5, Funny

I warned you all! I've known for years the bad guy from Aladdin would eventually tire of stealing stuff from mysterious caves and start breaking into computers!

--
"A witty saying proves nothing." - Voltaire
1. Re:At last, after all my years of searching... by An+ominous+Cow+art · 2008-08-01 07:37 · Score: 4, Funny
  
  I'll be disappointed if the command to begin the attack isn't:
  GIFAR, kree!
please... by pohl · 2008-08-01 07:27 · Score: 4, Funny

...won't someone think of the PORN!?

--
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Oh no by fortyonejb · 2008-08-01 07:28 · Score: 4, Funny

As if tub girl wasn't insidious enough... Now she's going to steal my accounts?
As usual, safe browsing practices protect you by Lord+Kestrel · 2008-08-01 07:34 · Score: 3, Informative

Things like a properly constructed white-list for Noscript, not allowing Java by default, etc. will all protect you from this.
It's a shame that security tools that can help mitigate some of these attacks are difficult to understand and use for many users.
1. Re:As usual, safe browsing practices protect you by andymadigan · 2008-08-01 07:41 · Score: 3, Informative
  
  Actually, my guess is that this is some sort of automatic file type detection where the browser tries to detect the type of file and use the appropriate plugin (thus causing the JRE Applet Plugin to potentially get selected). If that's the case, NoScript may not recognize it, though disabling Java should fix it.
  
  --
  The right to protest the State is more sacred than the State.
Advert on hacker message board by hivebrain · 2008-08-01 07:35 · Score: 2, Funny

"Upgrade to a hybrid today and get 20% more mileage on your phishing messages"
I thought only Windows did this: by CustomDesigned · 2008-08-01 07:35 · Score: 4, Insightful

The mime type says "GIF", but if it looks executable, try to run it anyway. Or maybe it is just Windows. TFA didn't mention which software does this (other than "the browser"). At one point they blame Sun. Huh? Does the GIF have an applet tag? Or does this attack involve running a malicious applet at evil.com, which then loads a JAR from facebook.com (which was uploaded as a GIF) and the JRE runs it as if it came from facebook. *That* would be a Sun problem (and not a "browser" problem).
1. Re:I thought only Windows did this: by Bogtha · 2008-08-01 07:59 · Score: 5, Informative
  
  The article was light on details, but it sounds like an extension of a known attack, and if this is the case, then it's not Windows, but Internet Explorer. Internet Explorer ignores the Content-Type header in various circumstances, in violation of the HTTP 1.1 specification.
  This matters because services like Facebook serve these fake "images" provided by their users to Internet Explorer and explicitly tell Internet Explorer that they are images. Internet Explorer then happily ignores them and tries to guess what type of file it is on its own. If the file looks a bit like HTML and you click on a link to it, Internet Explorer will happily execute Java and JavaScript on that page within the security context of the domain serving it.
  If you've wondered why these types of services force you to save images when you try to view them outside of the context of a web page, now you know why. It's because it's the only reliable way to ensure that Internet Explorer doesn't execute it. Think of it as a straight-jacket to stop a mentally ill person from hurting themselves.
  It's okay though, Microsoft are fixing the issue in Internet Explorer 8. By making Internet Explorer respect the HTTP 1.1 specification? Of course not! By adding a new proprietary header attribute.
  
  --
  Bogtha Bogtha Bogtha
2. Re:I thought only Windows did this: by Bogtha · 2008-08-01 11:14 · Score: 3, Informative
  
  Because of the number of legacy servers on the web (e.g. those that serve all files as text/plain)
  
  If you missed it, that was a thinly-veiled jab at Apache. Check out Bug #13986. You know you aren't doing well when an author of the HTTP 1.1 specification shows up on your bug tracker to post a "WTF?" comment :).
  
  --
  Bogtha Bogtha Bogtha
Linux by Darkness404 · 2008-08-01 07:35 · Score: 5, Funny

Well, this proves it again, by making Java so hard to install, Linux avoided yet another threat.

--
Taxation is legalized theft, no more, no less.
Re:But What's the Use by Anonymous Coward · 2008-08-01 07:36 · Score: 5, Informative

it sounds like what they are doing is creating a specially crafted Java archive (jar) that is disguised as a gif. You upload it to a site, the site stores it on their domain eg: images.somesocialsite.com The attacker would then make a webpage on his site, http://attacker.com/loadgar.html and in it would tell it to include the jar file from images.somesocialsite.com - in this situation the jar would be considered to be "from" the images.somesocialsite.com which would put it in the proper zone to be able to read *.somesocialsite.com cookies.
Thumbnails by omnichad · 2008-08-01 07:37 · Score: 2, Insightful

What site doesn't resize the uploaded image for display? That wouldn't result in "compressed code" it would just be an image.
YouTube? by LM741N · 2008-08-01 07:39 · Score: 2, Insightful

I am very curious whether some similar type of exploit could be used on YouTube uploads. Well, I guess we'll know soon.
1. Re:YouTube? by jebrew · 2008-08-01 08:00 · Score: 2, Interesting
  
  Not likely, youtube transcodes anything uploaded, so unless you've got a way to slip the code past a transcode and subsequent wrap into a .flv, then you're not going to hone your pwnage.
  Now as for taking down some youtube servers using this exploit, while it's unlikely, is definitely more possible. Though I'd imagine their transcoders aren't written to execute code if a supposed videostream is mislabeled.
print page by A+little+Frenchie · 2008-08-01 07:39 · Score: 2, Informative

http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/08/01/A_photo_that_can_steal_your_online_credentials_1.html
Re:Mmhhmm....those pesky details... by The+Dancing+Panda · 2008-08-01 07:48 · Score: 3, Informative

Security through obscurity does, in fact, keep things secure for a period of time. Hell, password protection is security through obscurity.

This is sort of a weak attack, if I understand what they're doing. The web browser sees the file as an image when you upload it. The server, on the other hand, sees it as a JAR file, and when it is accessed the next time, executes it. If it works, this is a pretty decent hack, but to actually get user information, you'd need a bit more info. First, they need the JVM installed on the server (which they probably have, but it's not a given). They also need a database schema, an open hole to get the information back to the hacker, and most importantly, DB passwords. So, even if this comes out 0-day, your myspace profile is probably safe.
Re:Mmhhmm....those pesky details... by pjt33 · 2008-08-01 07:49 · Score: 4, Informative

In terms of creating something which is both a gif and a jar, it's a simple case of cat myimg.gif myapplet.jar. The fact that you can cat a gif and a zip file and get something which conforms to both specifications has been known for years. The interesting bit will be the way they turn the Facebook img tag into an applet tag or otherwise persuade the browser to execute the applet.
Re:Mmhhmm....those pesky details... by The+Dancing+Panda · 2008-08-01 07:51 · Score: 2

Wow...RTFA...I was way off. But I don't quite understand what would make Java open these image files... Do they have ".jar" extensions? shouldn't facebook and the like be...I don't know...not allowing those?
Workarounds for websites by ak_hepcat · 2008-08-01 07:56 · Score: 4, Insightful

* resize the image
* crop the image 1x1 pixel smaller
* convert the GIF(ar) to PNG or JPG
* optimize the GIF file
* shrink/reorder the color palette
* edit the comments
Gosh.. really, anything that affects the actual data package, but doesn't visibly hamper valid pictures.

--
Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
1. Re:Workarounds for websites by ignoramus · 2008-08-01 08:08 · Score: 2, Insightful
  
  You're right, of course. Problem is mainly that it's one of those "if everybody does X, all will be fine" solutions.
  Right now, all sites that provide for image uploads would need to act or all users would have to disable Java. Reminiscent of the recent DNS caching issue, or 3/4 of the proposed solutions for spam... there's a long turnaround, if it works out at all.
  And if we somehow made the applet file format different, more strict to avoid it masquerading as another file type, how would that affect the jillion existing applets? Not sure if a simple solution exists.
JAR = ZIP, and GIF+ZIP = old news by marcansoft · 2008-08-01 08:03 · Score: 4, Informative

JAR files are just ZIP archives. ZIP archives are based on the end of the file, where the central directory is located (this is also why you can often unzip a self-extracting exe using a normal unzip application). GIF files, like most other files, are based on the beginning of the file. ZIPs don't care if you shove data in front of them. GIFs don't care if you shove data after them.
$ cat file.gif file.zip > file.gizip
Rename the result to .gif or .zip. Both work. You can also substitute JPG instead of the GIF, or any other file type that ignores trailing garbage.
I'm not sure if there's some kind of trick that is needed for the exploit to work, but the fact that you can make a file that works both as a zip and as almost any other file type has been known for ages.
and the fix is also known by SmallFurryCreature · 2008-08-01 08:09 · Score: 3, Insightful

Just check your ANY and ALL date the user submits for validity. That INCLUDES images. In this case, simply recode the image and foila, it will strip the padded info and all is well.
NEVER EVER TRUST ANY DATA THE USER SUBMITS!

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Re:Mmhhmm....those pesky details... by sakdoctor · 2008-08-01 08:56 · Score: 2, Insightful

How is password protection security through obscurity? I can think of no case where this is true.
Re:But What's the Use by UnderCoverPenguin · 2008-08-01 09:40 · Score: 3, Interesting

The part I don't get, is that images.somesocialsite.com is presumably sending it as an image/gif mimetype, so why is the browser running it (passing it to the JVM)? This sounds like a browser bug.
I'm guessing you have it backwards. The referencing webpage marks up the file as a Java object. I imagine the GIF part is to get past the socialsite server's image validity tests so that it will agree to host the file.
In my experience, the server should be sending the file with a MINE type of image/gif, so the brwoser should be treating the file as a GIF.
Something I actually tried to do, once:
I uploaded an SVG image to an image hosting website. But, the website, not "knowing" what a SVG file is, sent "Content-type: text/plain". (SVG is XML based, so is actually text.) Several web browsers, including FF and others, dutifully displayed the actual XML text.
I then tried making a webpage included the type attribute, specifiying "xml/xml+svg". The web browsers continued to display the XML text.
Given this observed behavior, I would expect that, when servering up a GIF file, either the server failed to include "Content-type: image/gif", or the browser ignored the contact type from the server. Either of these, IMHO, is a bug.
PS, FYI, I ultimately got the SVG file to be displayed correctly by re-uploading it as an XML file. The server then sent "Content-type: xml/xml" and the web browsers figured out what to do with it.

--
Don't try to out wierd me, three-eyes. I get stranger things than you, free with my breakfast cereal. --Zaphod Beeblebr
Re:Omitting details is a bad idea by Tony+Hoyle · 2008-08-01 10:09 · Score: 2, Informative

Except the attack fails if the image is modified in any way, fails if the server does minimal validation, *and* it only works in IE because that ignores mime types from the server.
I doubt there's an attack surface worth the effort. You can bet facebook does checks.
Re:all of them should enforce consistency by clone53421 · 2008-08-01 10:43 · Score: 2, Informative

As a side note, this exact same problem came up not too long ago when .asf files could be disguised as .mp3's and Windows Media Player would play them. It was a problem because .asf files are insecure.
As another example, you can take any image file that Preview will open, rename it with the extension of any other image file that Preview opens, and both Explorer and Preview will still display it... and Explorer will display no indication that it isn't what the extension says it is. It's not as dangerous as the .asf exploit, because all of the picture formats are already "safe" formats, and you can't disguise a .jar as a .gif in this case - Preview won't launch Java (I tried it), which is apparently the problem with the browser in TFA.
In short, extensions (if they are strictly followed) are a good way to avoid exploits like this. Trying to be clever/helpful by opening a file anyway when the extension is wrong is dangerous. At least Windows Media Player warns you (although it doesn't necessarily indicate that there is any particular danger in opening the file, IIRC).

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Re:Mmhhmm....those pesky details... by Creepy+Crawler · 2008-08-01 11:06 · Score: 2, Informative

Obscurity: hiding so that the proper user knows the secret will be allowed in.
password: secret word/phrase. Can be brute forced, cracked, found hiden on a post-it, or just plain guessed at. Absolute worst case puts password at 2^8 per character, minus stated password rules.
--
- Mod parent up! by Anonymous Coward (Score:1) Thurs, Nov 31, @13:37
Re:What the hell are you talking about? by Nazlfrag · 2008-08-01 20:17 · Score: 3, Informative

Correct. The code hidden in the image file will be executed by whatever browsers view it, not executed by the server. Even if the server does parse it, it would just be looking for a signature. It has enough similarity to fool the server into thinking its a valid GIF file, but the end users browser will render it as a JAR file (or possibly both).