GIFAR: Photos That Look Right Back At You

Security researchers presenting information at next week's Black Hat convention are expected to demonstrate a particularly nasty method for stealing online credentials from users on any number of websites that allow users to upload their own pictures. The exploit will work by displaying what looks like a .gif picture, but contains a Java applet that can be triggered to run after the fact in the victim's browser. They call the file a GIFAR.

The bad guys would create a profile on one of these popular Web sites -- Facebook for example -- and upload their GIFAR as an image on the site. Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR. At that point, the applet would run in the browser, giving the bad guys access to the victim's Facebook account.

The attack could work on any site that allows users to upload files, potentially even on Web sites that are used to upload banking card photos or even Amazon.com, they say.

Because GIFARs are opened by Java, they can be opened in many types of browsers.

There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. "The attack is going to work best wherever you leave yourself logged in for long periods of time," Heasman said.


Lots of users stay logged onto social sites that could display GIFARs almost continuously, so the risk of this exploit hitting paydirt if it gets out in the wild are pretty high. Either Sun will have to come up with an improvement in their runtime environment, or browser security will have to be beefed up. The third option is we all just change our online passwords to "password" and let the thieves take what they like.


Via:  InfoWorld
Tags:  gif, photos, photo, OS, right, IFA, hot, TOS, AC, AR, K
Comments
rapid1 6 years ago

Wow that sounds like a pretty dangerous virus. However it's not a virus at least not in pristine form. Just so you know which many of you do I'm sure when you log on your work network the same thing is done. Basically it is done on a lot of business network's, and is how employers monitor web access. However those uses of this are basically just for monitoring. However I see how it could be used quite maliciously. Oh and a lot of parents use it on there teenagers and jealous or worried spouses use them to catch cheaters. I have actually installed them for people/business's and monitored them as well. That makes for some interesting stories lol anyways this is old someone just got nasty with it. When I did it that was the easiest way to do it stick it in a picture and send it to someone from a web dating/adult dating site bam total access and that was at least 6 years ago. Seems like the black hats would be better called old hats because I know it was'nt new then the keylogger I used for text monitoring was a rather lowend one, and I think was version 4 in 2001-2. So this is at a minimum been around since 1997 almost ten years and probably longer than that.

nECrO1967 6 years ago
Nasty stuff. Another good reason to keep ones security up to date and EDUCATE yourself. Sorry to repeat myself so often. I have been beating this education drum for so long, it's hard to stop.
mazuki 6 years ago
i don't know why people don't log out in the first place.......are they really that lazy?
roadrun777 6 years ago
The problem is that the people installing all this monitoring software on private pc's are working for large companies. They are stealing ideas, songs, books, commercial ideas, marketing material, pre-released music, they are even recording people sing.
I was singing to some online music and I hear my laptop say "horrible!", so I said out loud "I am not really trying ***!", I heard someone laugh and say "shure your not trying!".
I realized that there are back doors into every software out there. What I don't think is fair is that they steal your life away and give you nothing in return. It takes a master programmer with assembly language and debugging skills to even detect these things, so they develop this "club". Either your in it, or your not. They use people like resources, without their permission. No one cares, and it's sad. Even the tools that are used to stop this sort of thing have their own back doors to them.
It's sad that using a PC means absolute compromise to your own privacy anymore. It's even worse when 16 year old kids get into these "clubs" and use these tools to harass and hurt people, not to mention the adults doing the same thing.
Post a Comment
or Register to comment