back to article Tiny Twitter thumbnail tweaked to transport different file types

A picture turns out to be worth much more than a thousand words, at least on Twitter. For security researcher David Buchanan, it amounts at least 884,000, roughly the number words in the complete works of William Shakespeare. Buchanan found that Twitter image uploads can be polyglot files, meaning they can be valid …

  1. Crazy Operations Guy

    "ICC profiles contain no executable code"

    So, they clearly have no clue how malware works. Although I assume they meant that the ICC specification doesn't allow for execution itself, but grossly ignores how trivial a buffer overflow is when handling variable-length data like images in a loose specification like JPEG. All it takes is a manipulated JMP to make that ICC data executable.

    1. Charles 9

      Re: "ICC profiles contain no executable code"

      Even if the JPEG data is stored in an DEP-marked area, which you would think it would be?

    2. Anonymous Coward
      Anonymous Coward

      Re: "ICC profiles contain no executable code"

      "So, they clearly have no clue how malware works"

      A bit harsh. I think most people understand the standard definitions of whether something has executable code even above the .exe is executable code, .txt is not, .docx is not but .docm is. PDFs can contain executable code but .rtf doesn't.

      However absolutely any data can be turned into executable code, it is only binary in the end so it is up to the software and device reading it whether it is 'executed' or not. Even then what does executable mean at that level, all data is processed by the processor so executable is just a software/OS term.

      Anyway, it doesn't mean that by saying that they have no idea how malware works.

  2. VeganVegan
    Happy

    Turtles all the way down?

    Turtle.jpg.zip.jpg.zip.jpg. und so weiter.

  3. Anonymous Coward
    Anonymous Coward

    lmao

    Do you see it?

    6C 6D 61 6F

    1. Anonymous Coward
      Anonymous Coward

      Re: lmao

      yes

      653362

  4. MacroRodent

    For how long will it work?

    Nice idea, but now that it is known, Twitter will probably soon tighten its metadata cleanup. Either by removing the ICC profile section, or by checking the section really is a plausible colour profile.

  5. Scott Broukell
    Coat

    ICC what you did there.

    <see title>

  6. John Savard

    Invalid Zip?

    In Windows, renaming it to .zip at the end doesn't work - at least not for Windows itself. 7Zip, though, will process the zip file, with two warnings: the data is offset, and there is extra data after the end of it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Invalid Zip?

      But the significance depends on the purpose. Might be crap for shovelling malware, but this offers a sly way of distributing files without clearly linking the intended recipient with the creator. Obviously you'd need the payload file itself to be encrypted, and possibly some hidden attributes.

      I would imagine the intelligence agencies have been using this approach for years.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like