Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Photo That Can Steal Your Online Credentials?

Posted by ScuttleMonkey on from the free-fear-mongering dept.

TedSamsonIW writes "InfoWorld reports on a new potential ploy for stealing Web user's private information: Researcher has found that by placing a new type of hybrid file on Web sites that let users upload their own images, they can circumvent security systems and take over Web surfers' accounts. 'They call this type of file a GIFAR, a contraction of GIF (graphics interchange format) and JAR (Java Archive), the two file-types that are mixed. At Black Hat, researchers will show attendees how to create the GIFAR while omitting a few key details to prevent it from being used immediately in any widespread attack.'"

5 of 235 comments (clear)

  1. I can haz ur eebay de-tails? by Channard · · Score: 5, Funny

    Just imagine - something as innocent as lolcats could be a potential minefield. God only knows what goatse would do.

  2. At last, after all my years of searching... by Paradigm_Complex · · Score: 5, Funny

    I warned you all! I've known for years the bad guy from Aladdin would eventually tire of stealing stuff from mysterious caves and start breaking into computers!

    --
    "A witty saying proves nothing." - Voltaire
  3. Linux by Darkness404 · · Score: 5, Funny

    Well, this proves it again, by making Java so hard to install, Linux avoided yet another threat.

    --
    Taxation is legalized theft, no more, no less.
  4. Re:But What's the Use by Anonymous Coward · · Score: 5, Informative

    it sounds like what they are doing is creating a specially crafted Java archive (jar) that is disguised as a gif. You upload it to a site, the site stores it on their domain eg: images.somesocialsite.com The attacker would then make a webpage on his site, http://attacker.com/loadgar.html and in it would tell it to include the jar file from images.somesocialsite.com - in this situation the jar would be considered to be "from" the images.somesocialsite.com which would put it in the proper zone to be able to read *.somesocialsite.com cookies.

  5. Re:I thought only Windows did this: by Bogtha · · Score: 5, Informative

    The article was light on details, but it sounds like an extension of a known attack, and if this is the case, then it's not Windows, but Internet Explorer. Internet Explorer ignores the Content-Type header in various circumstances, in violation of the HTTP 1.1 specification.

    This matters because services like Facebook serve these fake "images" provided by their users to Internet Explorer and explicitly tell Internet Explorer that they are images. Internet Explorer then happily ignores them and tries to guess what type of file it is on its own. If the file looks a bit like HTML and you click on a link to it, Internet Explorer will happily execute Java and JavaScript on that page within the security context of the domain serving it.

    If you've wondered why these types of services force you to save images when you try to view them outside of the context of a web page, now you know why. It's because it's the only reliable way to ensure that Internet Explorer doesn't execute it. Think of it as a straight-jacket to stop a mentally ill person from hurting themselves.

    It's okay though, Microsoft are fixing the issue in Internet Explorer 8. By making Internet Explorer respect the HTTP 1.1 specification? Of course not! By adding a new proprietary header attribute.

    --
    Bogtha Bogtha Bogtha