Steganography is the art of hiding data within data. Using this type of encryption algorithm allows you to obfuscate any data you want inside an image, mp3, video etc. Watermarking is one example of the legitimate use of steganography. Publishers use these watermarks to identify if particular media has been shared without permission. As you can imagine, threat actors can use steganography maliciously.
For instance, earlier this week security researcher David Buchanan demonstrated how you can do this via Twitter using a PNG image file. Typically, Twitter strips unnecessary data from PNG uploads. However, they don’t remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded. If you don’t know, DEFLATE is a lossless data compression format which streams in a series of data blocks. Hence, DEFLATE stream. IDAT refers to the PNG image data. A threat actor could hide malicious files or other activity using this method. Right under Twitter’s noses.
Buchanan explains there are very specific requirements to bypass Twitter’s re-encoding. The compressed cover image file size must be less than the size of the embedded file. The cover image must have at least 257 unique colors. Image resolution should not be greater than 680×680 and it should not have any unnecessary meta data chunks. The output file size must be less than 3MB.
Buchanan tweeted a 6KB image to prove his point. If you download that image and convert it to ZIP you will find an entire ZIP archive with his source code to pack any content into a PNG. He tweeted another photo that when converted to MP3 using his source code it will play ‘Never Gonna Give You Up’ by Rick Astley. He then tweeted a third photo that contained multiple RAR archives hiding the complete works of William Shakespear.
Twitter has not recognized that this is a bug, so there is no bounty out for this one.