How Up to 3MB of Data Can Be Hidden in Twitter Images Using Steganography

By Ava McKinneyOnline Safety

Up to 3MB of Data Can Be Hidden in Twitter Images, Such as ZIP or MP3 Files

Researcher and programmer David Buchanan has demonstrated that it’s possible to upload images to Twitter that have been modified using steganography, allowing up to 3MB of hidden data to be embedded within them. This is possible because Twitter does not always properly sanitize uploaded images.

Buchanan shared examples of such images in his posts, where he hid a ZIP archive containing source code and an MP3 file. For instance, the image below, which is only 6KB in size, actually contains a complete archive. Although these are PNG files that appear to be ordinary images on Twitter, simply downloading them and changing their file extension is enough to access the hidden content.

“Download the file, rename it to .mp3, and open it in VLC to get a surprise. (Note: Make sure you download the full-resolution version, which should be 2048×2048 pixels),” the expert explains.

An image hosted on Twitter’s server (link) is 2.5MB in size and actually contains an MP3 file of Rick Astley’s “Never Gonna Give You Up.” Buchanan has also published the source code for creating such files on GitHub: tweetable-polyglot-png.

“Normally, Twitter compresses images, but in some cases, this doesn’t happen. Twitter also tries to remove all non-essential metadata so polyglot files won’t work. But I found a new trick: you can append data to the end of the DEFLATE stream (the part of the file where compressed pixel data is stored), and Twitter won’t remove it,” Buchanan explained.

The fact that Twitter doesn’t always remove extraneous information from images opens up opportunities for abuse. For example, a PNG file could contain malicious code used for malware management or command-and-control (C&C) purposes. However, completely blocking image traffic from Twitter or the pbs.twimg.com domain could impact legitimate operations.

Buchanan says he previously tried to report a similar issue with JPEG files to Twitter’s developers, but was told it was not considered a security vulnerability. As a result, he did not notify the company about the same issue with PNG files.

Leave a Reply