Last week, another exercise on this topic took place at the white-hat camp: researcher David Buchanan found a way to share files via pictures on Twitter ( news , GitHub page with description and code).
There is no vulnerability here: you can insert data into a PNG image in different ways, and in this case you don't even need a special tool for decoding. It is enough to rename the .png file to .zip and unpack the data from the resulting archive.
The author of this trick found a feature of the image processor on Twitter, which removes some of the redundant data from the file, but does not touch one of the areas of the IDAT, where the redundant information is hidden. The method has limitations: if the final file is more than 3 MB, Twitter will convert the image to JPEG. A demonstration of the method is available on twitter.the author, and the image from there is given above: the trick also works on HabrΓ© (at the time of publication). Hidden inside the image zip file is Python code that allows you to hide arbitrary data in PNGs.
Another demonstration with a thicker file: David could not resist and made a "rickroll" in a single picture. In addition to Twitter and Habr, a similar method works on the Imgur image hosting and in the GitHub repository, but does not work, for example, on Reddit.
What else happened: The
big news of the week: the previously disclosed vulnerabilities in high-performance network devices F5 BIG-IP and BIG-IQ are actively exploited , the exploit to bypass authentication systems is in the public domain.
Evaluation of damage from vulnerabilities in Microsoft Exchange Server continues, including outside the United States. The Belgian Cyber ββThreat Response Center reports 400 affected (read, hacked) mail servers. The Microsoft website has published detailed recommendations for system administrators to "cure" attacked servers. A set of regular updates for Exchange Server was also released , including one that solves problems that could arise after the "crash patch".
Another patch from Microsoft aims to close all printing problems in Windows 10 caused by unsuccessful updates released earlier.
The computer manufacturer Acer was allegedly successfully attacked by a ransomware. According to BleepingComputer, the company is demanding $ 50 million.
Facebook has assembled its own team of information security researchers, an analogue of Google Project Zero and other projects.
Research by Kaspersky Lab experts: analysis of adware for macOS with Rust code and analysis of malicious code with support for the Apple M1 architecture.
A vulnerability has been discovered in the WordPress plugin TutorLMS , threatening data theft and privilege escalation.
Netflix introduces a rule that simultaneous use of an account in different locations must be confirmed by the owner. The streaming service is struggling not so much with ordinary users who pass passwords to friends, but with the black market of accounts.