Why Stegosploit Isn’t An Exploit
Edit: I screwed up. The “false claims” I’m attacking in this piece are about a new (unreleased) version of Stegosploit, which I wasn’t aware of. I’ll leave this article as it is and post a new one soon. Sorry for not researching this well enough, and thanks for understanding my mistake.
Regardless of the facts, Shah continues to ride the alarmist media hype train by endorsing scary articles full of blatantly false claims. Here are a few:
“I don’t need to host a blog, I don’t need to host a website at all. I don’t even need to register a domain, I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate.”
— Saumil Shah, Net Square
“All he needs to hack someone is an image file, nothing more.”
— Lorenzo Franceschi-Biccierai, Motherboard (VICE)
“… Virtually any picture you view on the web, even without clicking on it or downloading it, could potentially contain malware. Upon viewing the image, the hidden program would automatically load on your computer or mobile device without your consent.”
— Cammy Harbison, iDigitalTimes
“Internet users … could be infected by viewing a picture on any website, even without clicking on it or downloading it.”
— Pierluigi Paganini, Security Affairs
In reality, Stegosploit is a four-step process on the target browser:
- The browser downloads a harmless PNG image.
It doesn’t. While the proof-of-concept code hasn’t been officially released, it was visible for a few seconds during the Stegosploit demo at SyScan 2015:
If you have a <script> tag you can already do arbitrary code execution; the only thing that Stegosploit provides is weak obfuscation. Every other claim has been sensationalism and stunt hacking — especially with articles like “How You Can Get Hacked Just by Looking at a Picture Online”.
It’s not a bad idea to obfuscate your code with steganography if you have something trivial to hide, but it’s intellectually dishonest to pretend that Stegosploit is anything more than a thin layer of security through obscurity.
The future of active attacks may combine steganography, obfuscation, and even cryptography, but there’s no reason to believe that Stegosploit is dangerous or that it has the capacity to do any real damage in the wild.
Follow me on Twitter if you didn’t hate reading this. ☺