In a tweet, David Buchanan announced he had discovered a way to post a PNG image with up to 3 megabytes of extra data that would not be stripped when posted to Twitter. This discovery is significant because threat actors often look for ways to disguise malicious payloads such as executable files in normal-looking network traffic from trusted services such as social media. Twitter is supposed to strip any extraneous data when images are posted to the site to avoid this type of abuse. Buchanan had disclosed a similar bug in the past to Twitter but was turned away as it was not considered a security risk and did not report this current bug. As steganography is growing in popularity among threat actors for the purpose of delivering malware, this technique will likely be abused in the future.
Analyst Notes
Twitter is not considered an endpoint threat to many organizations, so this technique could be used to embed any number of files that are useful for threat actors. Building detections around unusual processes connecting to Twitter or Twitter APIs can be an effective means to catch this technique, since usually only a web browser or Twitter app would make such connections. However, it is also important to remember that this technique does not have to rely on Twitter. The script is freely available and can embed any data in PNG files that could be hosted elsewhere that doesn’t have a size restriction for images.
References:
https://www.bleepingcomputer.com/news/security/twitter-images-can-be-abused-to-hide-zip-mp3-files-heres-how/
https://github.com/DavidBuchanan314/tweetable-polyglot-png
I found a way to stuff up to ~3MB of data inside a PNG file on twitter. This is even better than my previous JPEG ICC technique, since the inserted data is contiguous.
The source code is available in the ZIP/PNG file attached: pic.twitter.com/zEOl2zJYRC
— David Buchanan (@David3141593) March 17, 2021