Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tiny Twitter Thumbnail Tweaked To Transport Different File Types (theregister.co.uk)

Posted by msmash on from the pushing-the-limits dept.

Security researcher David Buchanan has found that Twitter image uploads can be polyglot files, meaning they can be valid simultaneously in multiple formats, such as a .jpg, a .rar archive and a .zip archive. From a report: Using some Python code he wrote, he created a thumbnail image of William Shakespeare overlaid with the words, "Unzip Me" and posted it to Twitter. The .jpg image is also a valid .zip file, so if you download it, you can unzip it and extract the contents, a multipart .rar archive of the text of Shakespeare's plays. [...] Twitter performs some processing on uploaded images, which has the potential to mess with the data. But Buchanan found that his multi-format file survived this process. It may be that image itself (excluding the rather bulky metadata) is light enough not to trigger any compression or post-upload processing.

15 of 45 comments (clear)

  1. Who? by 110010001000 · · Score: 1, Offtopic

    I am not sure if anyone has told this WIlliam Shakespeare fellow about this, but he should sue for copyright violation.

  2. Twitter preserves image data fairly well by suso · · Score: 5, Interesting

    A while back I tried posting an image with a hidden steganographic message in it to Twitter and to my surprise the hidden message was preserved and not lost due to recompression. Also, the recent Banksy-style shreded image I posted to climagic that was basically a corrupted jpg file was preserved pretty well. In other words the corrupted part looks identical to what I see with the original on my own computer. However posting it to Mastodon.social resulted in a reprocessed image with compression artifacts

  3. As an IT Pro... by Dust038 · · Score: 1

    Malware been downloading crap to your computer disguised as JPG and ZIP for years, and now we've gone full circle and become the malware

    1. Re:As an IT Pro... by tlhIngan · · Score: 4, Informative

      Malware been downloading crap to your computer disguised as JPG and ZIP for years, and now we've gone full circle and become the malware

      No, these are not merely renamed files, these are polyglot files - files that can be other files. But unlike say steganography, they aren't even hidden.

      So this guy created a JPEG image that is a valid JPEG image. But inside it he stuffed in a ZIP file that can be extracted using any ZIP utility as-is.

      The ability to combine two arbitrary files is relatively limited - ZIP is one of the few file formats that puts the important metadata at the end of the file (and most formats will ignore trailing junk if they encounter it) so you can use the ability of many file formats to create holes to put ZIP data into them (ZIP data is stored as offsets that need not be contiguous, so you can place ZIP data in holes created by the other format).

    2. Re:As an IT Pro... by mejustme · · Score: 1

      > The ability to combine two arbitrary files is relatively limited

      I disagree. Any file format that has a "comment" field (or other optional meta data field) can potentially be abused this way. And most non-trivial file formats have something similar to a comment field.

      The surprising thing is when sites that host these files -- whether Twitter, Imgur, etc -- don't re-process the images and drop the extra information.

    3. Re:As an IT Pro... by Anonymous Coward · · Score: 1

      The surprising thing is when sites that host these files -- whether Twitter, Imgur, etc -- don't re-process the images and drop the extra information.

      I'm sure they will soon start to. Remember a few years back when you could extract EXIF tags from images? You rarely can today.

  4. Re: Ye olde 4Chan technology by sexconker · · Score: 1

    Do you want to get on a list? That's how you get on a list.

  5. Re:ZIP2EXE anyone? by Anonymous Coward · · Score: 1

    Basically, ZIP is the offender here. The format is detected from the end of the file not the beginning.

  6. Re:Some python code? by Falos · · Score: 2

    OPEN ME IN WINAMP

  7. Wanna bet? by reanjr · · Score: 1

    0.01 BTC says Twitter uses the image resolution to determine if they mangle it. Which means you can likely embed a significant amount of data before it hits their max upload size.

    1. Re: Wanna bet? by reanjr · · Score: 1

      Well, my guess is you'll eventually hit another limit (in bytes uploaded) designed for the largest raster images, like those from 24 MPixel cameras.

  8. Re:Ye olde 4Chan technology by ArylAkamov · · Score: 1

    I wish they hadn't gotten rid of it, it was a great way to transfer books. I've got a folder full of what you described.

  9. Re:.zip != .rar by wisnoskij · · Score: 1

    The summary seems to be saying it is a zip of a rar of text.

    I guess it is possible the polygot method only works with storage zips and does not work with compression.

    For whatever reason, I am inclined to believe the summery got it right as zips of rars, rars of rars, and zips of zips are fairly common to find in downloading files for whatever reason.

    --
    Troll is not a replacement for I disagree.
  10. Re:Mimetypes? by wisnoskij · · Score: 1

    I think we can be fairly certain that mime scanners will be designed to stop scanning as soon as possible in all cases. Meaning It will detect the format that uses data at the front. So at least in this case, it would show as a jpg file.

    --
    Troll is not a replacement for I disagree.
  11. Re:Some python code? by sjames · · Score: 1

    No, cat is not good enough. This is a more thorough embedding that survives some post processing that a simple concatenation will not.