Tiny Twitter Thumbnail Tweaked To Transport Different File Types

Security researcher David Buchanan has found that Twitter image uploads can be polyglot files, meaning they can be valid simultaneously in multiple formats, such as a .jpg, a .rar archive and a .zip archive. From a report: Using some Python code he wrote, he created a thumbnail image of William Shakespeare overlaid with the words, "Unzip Me" and posted it to Twitter. The .jpg image is also a valid .zip file, so if you download it, you can unzip it and extract the contents, a multipart .rar archive of the text of Shakespeare's plays. [...] Twitter performs some processing on uploaded images, which has the potential to mess with the data. But Buchanan found that his multi-format file survived this process. It may be that image itself (excluding the rather bulky metadata) is light enough not to trigger any compression or post-upload processing.

Re:As an IT Pro...

[tlhIngan]

Malware been downloading crap to your computer disguised as JPG and ZIP for years, and now we've gone full circle and become the malware

No, these are not merely renamed files, these are polyglot files - files that can be other files. But unlike say steganography, they aren't even hidden.

So this guy created a JPEG image that is a valid JPEG image. But inside it he stuffed in a ZIP file that can be extracted using any ZIP utility as-is.

The ability to combine two arbitrary files is relatively limited - ZIP is one of the few file formats that puts the important metadata at the end of the file (and most formats will ignore trailing junk if they encounter it) so you can use the ability of many file formats to create holes to put ZIP data into them (ZIP data is stored as offsets that need not be contiguous, so you can place ZIP data in holes created by the other format).