Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Photo That Can Steal Your Online Credentials?

Posted by ScuttleMonkey on from the free-fear-mongering dept.

TedSamsonIW writes "InfoWorld reports on a new potential ploy for stealing Web user's private information: Researcher has found that by placing a new type of hybrid file on Web sites that let users upload their own images, they can circumvent security systems and take over Web surfers' accounts. 'They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.'"

16 of 235 comments (clear)

  1. I can haz ur eebay de-tails? by Channard · · Score: 5, Funny

    Just imagine - something as innocent as lolcats could be a potential minefield. God only knows what goatse would do.

    1. Re:I can haz ur eebay de-tails? by Anonymous Coward · · Score: 4, Funny

      4chan is fucked, /b/ is going to spend all day trying to hack eachother.

    2. Re:I can haz ur eebay de-tails? by odiroot · · Score: 4, Funny

      You broke rules 1 & 2.

    3. Re:I can haz ur eebay de-tails? by The+Ultimate+Fartkno · · Score: 4, Funny

      God only knows what goatse would do.

      Talk about a gaping security hole...

    4. Re:I can haz ur eebay de-tails? by clone53421 · · Score: 4, Informative

      There's no actual pictures involed though, just a java applet masquerading as a gif file to the server (so no kitties harmed).

      You're slightly mistaken. The server thinks it's a GIF; the browser figures out that it's actually an applet and starts Java. Since it's coming from the same server, the applet is able to interact with the rest of the page and see the site's cookies, and it can then transmit whatever stuff it discovers to a third party. As you said, not having the Java plugin would thwart the attack.

      Also, I hate to get on my soapbox, but file extensions are a good thing. In this case, the extension is the only thing that the user has to tell them what sort of content is being delivered... when the file type doesn't match the extension (or MIME type), the browser should complain. This "magic" stuff where the extension is ignored is dangerous.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  2. At last, after all my years of searching... by Paradigm_Complex · · Score: 5, Funny

    I warned you all! I've known for years the bad guy from Aladdin would eventually tire of stealing stuff from mysterious caves and start breaking into computers!

    --
    "A witty saying proves nothing." - Voltaire
    1. Re:At last, after all my years of searching... by An+ominous+Cow+art · · Score: 4, Funny

      I'll be disappointed if the command to begin the attack isn't:

      GIFAR, kree!

  3. please... by pohl · · Score: 4, Funny

    ...won't someone think of the PORN!?

    --

    The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...

  4. Oh no by fortyonejb · · Score: 4, Funny

    As if tub girl wasn't insidious enough... Now she's going to steal my accounts?

  5. I thought only Windows did this: by CustomDesigned · · Score: 4, Insightful

    The mime type says "GIF", but if it looks executable, try to run it anyway. Or maybe it is just Windows. TFA didn't mention which software does this (other than "the browser"). At one point they blame Sun. Huh? Does the GIF have an applet tag? Or does this attack involve running a malicious applet at evil.com, which then loads a JAR from facebook.com (which was uploaded as a GIF) and the JRE runs it as if it came from facebook. *That* would be a Sun problem (and not a "browser" problem).

    1. Re:I thought only Windows did this: by Bogtha · · Score: 5, Informative

      The article was light on details, but it sounds like an extension of a known attack, and if this is the case, then it's not Windows, but Internet Explorer. Internet Explorer ignores the Content-Type header in various circumstances, in violation of the HTTP 1.1 specification.

      This matters because services like Facebook serve these fake "images" provided by their users to Internet Explorer and explicitly tell Internet Explorer that they are images. Internet Explorer then happily ignores them and tries to guess what type of file it is on its own. If the file looks a bit like HTML and you click on a link to it, Internet Explorer will happily execute Java and JavaScript on that page within the security context of the domain serving it.

      If you've wondered why these types of services force you to save images when you try to view them outside of the context of a web page, now you know why. It's because it's the only reliable way to ensure that Internet Explorer doesn't execute it. Think of it as a straight-jacket to stop a mentally ill person from hurting themselves.

      It's okay though, Microsoft are fixing the issue in Internet Explorer 8. By making Internet Explorer respect the HTTP 1.1 specification? Of course not! By adding a new proprietary header attribute.

      --
      Bogtha Bogtha Bogtha
  6. Linux by Darkness404 · · Score: 5, Funny

    Well, this proves it again, by making Java so hard to install, Linux avoided yet another threat.

    --
    Taxation is legalized theft, no more, no less.
  7. Re:But What's the Use by Anonymous Coward · · Score: 5, Informative

    it sounds like what they are doing is creating a specially crafted Java archive (jar) that is disguised as a gif. You upload it to a site, the site stores it on their domain eg: images.somesocialsite.com The attacker would then make a webpage on his site, http://attacker.com/loadgar.html and in it would tell it to include the jar file from images.somesocialsite.com - in this situation the jar would be considered to be "from" the images.somesocialsite.com which would put it in the proper zone to be able to read *.somesocialsite.com cookies.

  8. Re:Mmhhmm....those pesky details... by pjt33 · · Score: 4, Informative

    In terms of creating something which is both a gif and a jar, it's a simple case of cat myimg.gif myapplet.jar. The fact that you can cat a gif and a zip file and get something which conforms to both specifications has been known for years. The interesting bit will be the way they turn the Facebook img tag into an applet tag or otherwise persuade the browser to execute the applet.

  9. Workarounds for websites by ak_hepcat · · Score: 4, Insightful

    * resize the image
    * crop the image 1x1 pixel smaller
    * convert the GIF(ar) to PNG or JPG
    * optimize the GIF file
    * shrink/reorder the color palette
    * edit the comments

    Gosh.. really, anything that affects the actual data package, but doesn't visibly hamper valid pictures.

    --
    Support FSF: Stop thinking with your wallet, and think with your imagination. (cc/non-commercial)
  10. JAR = ZIP, and GIF+ZIP = old news by marcansoft · · Score: 4, Informative

    JAR files are just ZIP archives. ZIP archives are based on the end of the file, where the central directory is located (this is also why you can often unzip a self-extracting exe using a normal unzip application). GIF files, like most other files, are based on the beginning of the file. ZIPs don't care if you shove data in front of them. GIFs don't care if you shove data after them.

    $ cat file.gif file.zip > file.gizip
    Rename the result to .gif or .zip. Both work. You can also substitute JPG instead of the GIF, or any other file type that ignores trailing garbage.

    I'm not sure if there's some kind of trick that is needed for the exploit to work, but the fact that you can make a file that works both as a zip and as almost any other file type has been known for ages.