Europe Pub
  • Communities
  • Create Post
  • Create Community
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
sabreW4K3@lazysoci.al to Privacy@lemmy.dbzer0.comEnglish · 17 days ago

Adult sites are stashing exploit code inside racy .svg files

arstechnica.com

external-link
message-square
25
link
fedilink
  • cross-posted to:
  • hackernews@lemmy.bestiver.se
  • privacy@programming.dev
  • pulse_of_truth@infosec.pub
69
external-link

Adult sites are stashing exploit code inside racy .svg files

arstechnica.com

sabreW4K3@lazysoci.al to Privacy@lemmy.dbzer0.comEnglish · 17 days ago
message-square
25
link
fedilink
  • cross-posted to:
  • hackernews@lemmy.bestiver.se
  • privacy@programming.dev
  • pulse_of_truth@infosec.pub
Running JavaScript from inside an image? What could possibly go wrong?
  • lambalicious@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    16 days ago

    Only an idiot parses an image file as executable code.

    • CeeBee_Eh@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      16 days ago

      I can’t tell if you’re being serious or just making a joke.

      • lambalicious@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        15 days ago

        It works both ways, which ultimately is the issue.

        • CeeBee_Eh@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          14 days ago

          A well created malicious exploit will look like an image (or any other file) to a user, but can execute arbitrary code.

          That’s why I thought maybe you were just making a joke.

          • lambalicious@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            14 days ago

            Sure but that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place. Which… well, why? It’s an image, not a program. Treat it as an image. Hence “only an idiot” writes an image parser to actually execute an image (same with eg.: only an idiot would write an MP3 parser that arbitrarily executes an MP3).

            Even if an SVG had JS in it, as an image-proccessing lib the correct method would be not to try to run the JS in your SVG by yourself but rather just hand it down to whoever is processibg JS at the moment (which would be, well, the browser context and its sandbox).

            • CeeBee_Eh@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              14 days ago

              I don’t think you understand how exploits work. We’re not talking about “running JS in an image viewer”.

              https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-hack-websites-2/

              https://www.bitdefender.com/en-us/blog/hotforsecurity/openjpeg-vulnerability-allows-execution-of-malicious-code-using-crafted-images

              that requires the given parser (the web browser, the image lib, etc) to arbitrarily run code in the first place

              At the most base level, every image is data, and any data can theoretically be code. The image’s data has to be parsed (like you said) and the parser can be exploited to trigger code execution.

Privacy@lemmy.dbzer0.com

privacy@lemmy.dbzer0.com

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacy@lemmy.dbzer0.com

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don’t be a smartass and try to game the system, we’ll know if you’re breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don’t promote big-tech software
  3. No apathy and defeatism for privacy (i.e. “They already have my data, why bother?”)
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

  • !opensource@programming.dev
  • !selfhosting@slrpnk.net / !selfhosted@lemmy.world
  • !piracy@lemmy.dbzer0.com
  • !drm@lemmy.dbzer0.com
Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 116 users / day
  • 570 users / week
  • 2.65K users / month
  • 6.74K users / 6 months
  • 8 local subscribers
  • 3.62K subscribers
  • 482 Posts
  • 3.18K Comments
  • Modlog
  • mods:
  • 𝔽𝕩𝕠𝕞𝕥@lemmy.dbzer0.com
  • Otter@lemmy.ca
  • shaytan@lemmy.dbzer0.com
  • fxomt@piefed.social
  • BE: 0.19.12
  • Modlog
  • Legal
  • Instances
  • Docs
  • Code
  • join-lemmy.org