ZIP and MP3 Files Hidden Inside PNG Files on Twitter
Security researcher David Buchanan discovered a novel steganography technique for hiding data inside a Portable Network Graphics (.PNG) image file posted on Twitter, a tactic that could be exploited by hackers to hide malicious activity. He showcased his approach on twitter with a photo stating "Save this image and change the extension to zip!" The zip file contains the source code for his technique and also posted his detailed explanations on GitHub.
Buchanan demonstrated how to hide both MP3 audio files and ZIP archives within the PNG images hosted on Twitter. The reason is because while Twitter strips unnecessary data from PNG uploads, they don't remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded. This is important because hackers use digital steganography to obscure malicious files or other activity. It can give hackers another way to hide in hosted images on widely used social media platforms.
Buchanan explained that there are some requirements for both the images used to obscure files and the files being hidden inside them for his method to work. The cover image must compress well, so that the compressed file size is less than (width * height) size_of_embedded_file. The cover art must have at least 257 unique colors, otherwise Twitter will optimise it to use a palette. Image resolution can be up to 4096 x 4096, even though Twitter will serve a downscaled version by default for images greater than 680 x 680. The image also should not have any unnecessary metadata chunks. For embedded files, the total output file size must be less than 5MB, but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file.
BleepingComputer downloaded the source code and followwed the instructions. Here is what they found. The original 6KB image had its file format changed to ZIP, which contained an entire ZIP archive with his source code that anyone can use to pack miscellaneous contents into a PNG image. BleepingCOmputer also downloaded another image file that Buchanan instructed to rename the extension to mp3 and it opened in VLC player which started playing the song "Never Gonna Give You Up" by Rick Astley.
Buchanan tried to report the issue to Twitter's bug bounty program, but was told that it's not actually a bug. The finding follows a discovery by researchers at website security firm Sucuri that Magecart hackers began hiding sensitive data they've skimmed from credit cards online inside .JPG files on a website they've injected with malicious code.