Sometimes, advances in cybersecurity come from the unlikeliest of places. Steganography – hiding data, information, or files within other types of media – has often been regarded as a niche interest for security geeks and was not thought to pose much of a threat.
That could have changed this month, with security researcher David Buchanan’s announcement that he has found a way to hide MP3 files and ZIP archives within the PNG files used by Twitter. This technique could (potentially) allow hackers to use an enormously popular social media network to hide malicious activity.
The announcement was made on March 18, 2021 on Twitter. Buchanan then shared the details of his exploit on GitHub a few days later. This announcement explained how it is possible to hide various types of files within the PNG files used to share images on Twitter. The technique manages to bypass filters that Twitter has in place to detect this kind of malicious activity. The specific problem is that these filters do not remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded. This allows files to be hidden in IDAT.
This research is surprising namely for two reasons. One is that security researchers haven’t paid much attention to steganography for a decade because it was widely assumed that we had fairly comprehensive filters in place to detect and thwart the technique. As a result, recent research has been focused on building resilience through end-to-end encryption and identifying social engineering techniques rather than finding files hidden in social media images. The second is that the technique might offer new attack vectors.
It’s important to stress that using steganography as an ingress vector will only work in very specific circumstances, and only against the most vulnerable devices. Even in Buchanan’s recent research, one has to format hidden files carefully to get them through Twitter’s threat detection.
Nevertheless, there are an increasing number of reports of steganography being used by threat actors. For example, the technique has been used to hide communications on botnets, and to spread ransomware. Perhaps most worrying is the discovery by researchers at website security firm Sucuri that Magecart attackers have been hiding sensitive data they’ve skimmed from credit cards inside .JPG files.
Whether steganography will become the attack method of the future remains to be seen; however, the announcement should, at very least, keep us on our toes.