GIFAR: Photos That Look Right Back At You

Friday, August 01, 2008 - by Gregory Sullivan

Security researchers presenting information at next week's Black Hat convention are expected to demonstrate a particularly nasty method for stealing online credentials from users on any number of websites that allow users to upload their own pictures. The exploit will work by displaying what looks like a .gif picture, but contains a Java applet that can be triggered to run after the fact in the victim's browser. They call the file a GIFAR.

The bad guys would create a profile on one of these popular Web sites -- Facebook for example -- and upload their GIFAR as an image on the site. Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR. At that point, the applet would run in the browser, giving the bad guys access to the victim's Facebook account.

The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Amazon.com, they say.

Because GIFARs are opened by Java, they can be opened in many types of browsers.

There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. "The attack is going to work best wherever you leave yourself logged in for long periods of time," Heasman said.

Lots of users stay logged onto social sites that could display GIFARs almost continuously, so the risk of this exploit hitting paydirt if it gets out in the wild are pretty high. Either Sun will have to come up with an improvement in their runtime environment, or browser security will have to be beefed up. The third option is we all just change our online passwords to "password" and let the thieves take what they like.

Via: InfoWorld | News Archive | Tags: gif, photos, photo, os

Comments

By rapid1 on Aug 2, 2008

Wow that sounds like a pretty dangerous virus. However it's not a virus at least not in pristine form. Just so you know which many of you do I'm sure when you log on your work network the same thing is done. Basically it is done on a lot of business network's, and is how employers monitor web access. However those uses of this are basically just for monitoring. However I see how it could be used quite maliciously. Oh and a lot of parents use it on there teenagers and jealous or worried spouses use them to catch cheaters. I have actually installed them for people/business's and monitored them as well. That makes for some interesting stories lol anyways this is old someone just got nasty with it. When I did it that was the easiest way to do it stick it in a picture and send it to someone from a web dating/adult dating site bam total access and that was at least 6 years ago. Seems like the black hats would be better called old hats because I know it was'nt new then the keylogger I used for text monitoring was a rather lowend one, and I think was version 4 in 2001-2. So this is at a minimum been around since 1997 almost ten years and probably longer than that.

By nECrO1967 on Aug 2, 2008

Nasty stuff. Another good reason to keep ones security up to date and EDUCATE yourself. Sorry to repeat myself so often. I have been beating this education drum for so long, it's hard to stop.

By mazuki on Aug 2, 2008

i don't know why people don't log out in the first place.......are they really that lazy?

By roadrun777 on Aug 3, 2008

The problem is that the people installing all this monitoring software on private pc's are working for large companies. They are stealing ideas, songs, books, commercial ideas, marketing material, pre-released music, they are even recording people sing.
I was singing to some online music and I hear my laptop say "horrible!", so I said out loud "I am not really trying ***!", I heard someone laugh and say "shure your not trying!".
I realized that there are back doors into every software out there. What I don't think is fair is that they steal your life away and give you nothing in return. It takes a master programmer with assembly language and debugging skills to even detect these things, so they develop this "club". Either your in it, or your not. They use people like resources, without their permission. No one cares, and it's sad. Even the tools that are used to stop this sort of thing have their own back doors to them.
It's sad that using a PC means absolute compromise to your own privacy anymore. It's even worse when 16 year old kids get into these "clubs" and use these tools to harass and hurt people, not to mention the adults doing the same thing.

Post a Comment

	Replies
ASUS Xtreme Design Contest!	82
HotHardware and Viddler Contest: Win A Flip UltraHD!	27
Teens Still Crazy Over Texting While Driving	10
ATI Radeon HD 5970 Dual-GPU Powerhouse Review	9
Fusion-io ioXtreme PCI Express SSD, Tested and Burned In	8
NVIDIA Auction For The Leukemia & Lymphoma Society	7
Flash In The Pan: New Adobe Beta Enables GPU Offloading	7

	Replies
New York's Deputy CIO Looks To Consoles For New Emergency Alert System	6
I'D LIKE TO SEE A REVIEW OF THIS PLEASE!!!	1
Olive 4HD Music Server Caters To The (Rich) Audiophile	5
Imation's SSD Upgrade Kit Makes Tossing That HDD Easy	0
HotHardware and TechVi Video Podcast No. 4	3
Flat Screen TV Deals!	0
Imation Unleashes Wireless USB External Hard Drive	2

Looking at a Droid phone?

This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his
associates. All products and trademarks are the property of their respective owners. All content and graphical elements are
Copyright © 1999 - 2009 David Altavilla and HotHardware.com, LLC. All rights reserved. Privacy and Terms

Subscribe to HH News Alerts!	Preview