Tiny Twitter Thumbnail Tweaked To Transport Different File Types (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Tiny Twitter Thumbnail Tweaked To Transport Different File Types (theregister.co.uk)

Posted by msmash on Wednesday October 31, 2018 @08:45AM from the pushing-the-limits dept.

Security researcher David Buchanan has found that Twitter image uploads can be polyglot files, meaning they can be valid simultaneously in multiple formats, such as a .jpg, a .rar archive and a .zip archive. From a report: Using some Python code he wrote, he created a thumbnail image of William Shakespeare overlaid with the words, "Unzip Me" and posted it to Twitter. The .jpg image is also a valid .zip file, so if you download it, you can unzip it and extract the contents, a multipart .rar archive of the text of Shakespeare's plays. [...] Twitter performs some processing on uploaded images, which has the potential to mess with the data. But Buchanan found that his multi-format file survived this process. It may be that image itself (excluding the rather bulky metadata) is light enough not to trigger any compression or post-upload processing.

45 comments

Min score:

Reason:

Sort:

Who? by 110010001000 · 2018-10-31 08:53 · Score: 1, Offtopic

I am not sure if anyone has told this WIlliam Shakespeare fellow about this, but he should sue for copyright violation.
1. Re:Who? by Anonymous Coward · 2018-10-31 08:56 · Score: 0
  
  I'm sure some lawyer will sue on his behalf.
Some python code? by Anonymous Coward · 2018-10-31 08:59 · Score: 0

Wtf is this guy doing?
Is cat not good enough to concatenate a jpg and a rar if he is on linux?
Or maybe just the copy command on windows?
4channers have been doing this for over a decade.
What an invention.
1. Re: Some python code? by Anonymous Coward · 2018-10-31 09:09 · Score: 0
  
  "He who stay ahead of curve on only one thing be behind on all other thing."
  
  If like 1% slashdot know this YOU are error, it new to everyone else !
  
  msmash
2. Re: Some python code? by Anonymous Coward · 2018-10-31 09:40 · Score: 0
  
  Shout outs to idiots who renamed the file to .hta
3. Re:Some python code? by Falos · 2018-10-31 10:15 · Score: 2
  
  OPEN ME IN WINAMP
4. Re:Some python code? by Anonymous Coward · 2018-10-31 11:01 · Score: 0
  
  This trick (plus armies of morons who'll happily download and run anything) regularly brought 4chan to its knees with spam floods. I can only hope it's equally disastrous to twitter.
5. Re: Some python code? by Anonymous Coward · 2018-11-01 13:58 · Score: 0
  
  To whip the llamas a55 or not to whip the llamas a55? That is the question.
  -william sharespeare
6. Re:Some python code? by sjames · 2018-11-04 06:34 · Score: 1
  
  No, cat is not good enough. This is a more thorough embedding that survives some post processing that a simple concatenation will not.
Twitter preserves image data fairly well by suso · 2018-10-31 09:07 · Score: 5, Interesting

A while back I tried posting an image with a hidden steganographic message in it to Twitter and to my surprise the hidden message was preserved and not lost due to recompression. Also, the recent Banksy-style shreded image I posted to climagic that was basically a corrupted jpg file was preserved pretty well. In other words the corrupted part looks identical to what I see with the original on my own computer. However posting it to Mastodon.social resulted in a reprocessed image with compression artifacts
Ye olde 4Chan technology by Anonymous Coward · 2018-10-31 09:19 · Score: 0

I remember when people would do this on 4Chan to transfer music files as tiffs and transfer zips of books as a jpg of the cover with the rest of the zip embedded into the jpg. Not really new, but that shit was shut down after people started transferring viruses and other bad shit.
1. Re: Ye olde 4Chan technology by sexconker · 2018-10-31 09:58 · Score: 1
  
  Do you want to get on a list? That's how you get on a list.
2. Re:Ye olde 4Chan technology by ArylAkamov · 2018-10-31 12:04 · Score: 1
  
  I wish they hadn't gotten rid of it, it was a great way to transfer books. I've got a folder full of what you described.
As an IT Pro... by Dust038 · 2018-10-31 09:33 · Score: 1

Malware been downloading crap to your computer disguised as JPG and ZIP for years, and now we've gone full circle and become the malware
1. Re:As an IT Pro... by UnknownSoldier · 2018-10-31 09:55 · Score: 0
  
  Are you saying ...
  Social Media IS malware? =P
2. Re:As an IT Pro... by tlhIngan · 2018-10-31 10:26 · Score: 4, Informative
  
  Malware been downloading crap to your computer disguised as JPG and ZIP for years, and now we've gone full circle and become the malware
  No, these are not merely renamed files, these are polyglot files - files that can be other files. But unlike say steganography, they aren't even hidden.
  So this guy created a JPEG image that is a valid JPEG image. But inside it he stuffed in a ZIP file that can be extracted using any ZIP utility as-is.
  The ability to combine two arbitrary files is relatively limited - ZIP is one of the few file formats that puts the important metadata at the end of the file (and most formats will ignore trailing junk if they encounter it) so you can use the ability of many file formats to create holes to put ZIP data into them (ZIP data is stored as offsets that need not be contiguous, so you can place ZIP data in holes created by the other format).
3. Re:As an IT Pro... by Anonymous Coward · 2018-10-31 12:31 · Score: 0
  
  it's a funny party trick. I think I've seen it done before with pdf +zip.
  This one didn't work for me though, I probably didn't have the right image.
4. Re:As an IT Pro... by mejustme · 2018-10-31 14:29 · Score: 1
  
  > The ability to combine two arbitrary files is relatively limited
  I disagree. Any file format that has a "comment" field (or other optional meta data field) can potentially be abused this way. And most non-trivial file formats have something similar to a comment field.
  The surprising thing is when sites that host these files -- whether Twitter, Imgur, etc -- don't re-process the images and drop the extra information.
5. Re:As an IT Pro... by Anonymous Coward · 2018-10-31 19:17 · Score: 1
  
  The surprising thing is when sites that host these files -- whether Twitter, Imgur, etc -- don't re-process the images and drop the extra information.
  I'm sure they will soon start to. Remember a few years back when you could extract EXIF tags from images? You rarely can today.
6. Re:As an IT Pro... by Anonymous Coward · 2018-10-31 22:50 · Score: 0
  
  it's a funny party trick.
  And that is all it is. A party trick. But what is the point here? If I want to share a zip or a pdf, I can do that - on any webserver. And possibly post an URL to twitter, if I want to tweet about content twitter won't accept as-is.
  And who cares if a jpeg also works as a zip? It will still be treated as a jpeg, due to its name. For smuggling, anything can be hidden in any other file format - although the extraction process may be trickier than simply unzipping a jpg. For smuggling, you want the extraction process to be hard anyway, so the secret police doesn't stumble upon what you're hiding.
  Unzipping a jpeg may be easy, but it is even easier to unzip a zipfile. So that is what I use when secrecy isn't necessary. If twitter doesn't let me post a zip, I use some other channel.
Fap fap fap by Anonymous Coward · 2018-10-31 09:54 · Score: 0

Aww lawd is dat some CP?
ZIP2EXE anyone? by Anonymous Coward · 2018-10-31 09:54 · Score: 0

This is the same "trick" (not trick, design) that makes self-extracting zips possible. Big deal?
1. Re:ZIP2EXE anyone? by Anonymous Coward · 2018-10-31 10:05 · Score: 1
  
  Basically, ZIP is the offender here. The format is detected from the end of the file not the beginning.
PoC||GTFO by Anonymous Coward · 2018-10-31 10:28 · Score: 0

PoC||GTFO was the first time I saw a polygot file. Issue 0x14 is a valid pdf, zip and Nintendo ROM
Wanna bet? by reanjr · 2018-10-31 10:35 · Score: 1

0.01 BTC says Twitter uses the image resolution to determine if they mangle it. Which means you can likely embed a significant amount of data before it hits their max upload size.
1. Re:Wanna bet? by Anonymous Coward · 2018-10-31 19:58 · Score: 0
  
  If they go by resolution rather than file size you can append a couple of gigabytes zipped data at the end.
  Say hello.jpg to the new file sharing site.
2. Re: Wanna bet? by reanjr · 2018-11-05 03:26 · Score: 1
  
  Well, my guess is you'll eventually hit another limit (in bytes uploaded) designed for the largest raster images, like those from 24 MPixel cameras.
Obligatory reference by mapinguari · 2018-10-31 13:32 · Score: 0

https://www.nbc.com/saturday-n...
Hijacking back on topic. by Anonymous Coward · 2018-10-31 16:39 · Score: 0

This is nothing new. You can do exactly this with PixelKnot.
So David Buchanan, I know you think you're clever, but you're not.
1. Re: Hijacking back on topic. by Anonymous Coward · 2018-11-03 18:48 · Score: 0
  
  It is quite sad you don't get the whole idea. You can pass this file unmodified into zip. Knot just extracts it.
Mimetypes? by Anonymous Coward · 2018-10-31 23:31 · Score: 0

I wonder what format these files will be detected as on systems that use mime types instead of file extensions
1. Re:Mimetypes? by wisnoskij · 2018-11-01 01:59 · Score: 1
  
  I think we can be fairly certain that mime scanners will be designed to stop scanning as soon as possible in all cases. Meaning It will detect the format that uses data at the front. So at least in this case, it would show as a jpg file.
  
  --
  Troll is not a replacement for I disagree.
Re:.zip != .rar by wisnoskij · 2018-11-01 01:56 · Score: 1

The summary seems to be saying it is a zip of a rar of text.
I guess it is possible the polygot method only works with storage zips and does not work with compression.
For whatever reason, I am inclined to believe the summery got it right as zips of rars, rars of rars, and zips of zips are fairly common to find in downloading files for whatever reason.

--
Troll is not a replacement for I disagree.