In a tweet, David Buchanan announced he had discovered a way to post a PNG image with up to 3 megabytes of extra data that would not be stripped when posted to Twitter. This discovery is significant because threat actors often look for ways to disguise malicious payloads such as executable files in normal-looking network traffic from trusted services such as social media. Twitter is supposed to strip any extraneous data when images are posted to the site to avoid this type of abuse. Buchanan had disclosed a similar bug in the past to Twitter but was turned away as it was not considered a security risk and did not report this current bug. As steganography is growing in popularity among threat actors for the purpose of delivering malware, this technique will likely be abused in the future.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is