How to Hide Information in Images

By  on  

If you've followed this blog, you know that I'm obsessed with figuring out every way to interact with, abuse, and convert different types of media.  Whether it's images, video, or audio, if something can be changed or exploited, I want to figure out how to do it.

I remember reading in the past about how images could be used to pass on "secret" information or even install viruses, all the while displaying as proper images in browsers; this process is called steganography.  I wanted to figure out how you could exploit an image to, at the very least, contain information not visible to the user.  Let's look at a few different methods!

Adding EXIF Data

Unbeknownst to most users sharing photos, those images have data attached to them that the photographer realizes: latitude and longitude, device, and lots of other information.  For this reason alone I wrote Get and Remove EXIF Data, a post every service that allows image uploads should read, simply to keep their users privacy.

You can set EXIF data in an image to pass on dubious information:

# Put information in the EXIF
exiftool -artist=MY_SEMI_SECRET_DATA walshcoin.gif

# Retrieve the new info from the EXIF
exiftool walshcoin.gif

The image displays just as it did before but passes information unseen to the user!

Concatenating ZIP Files and Images

This method is the scarier of the two I'll illustrate.  You can actually concatenate an animated GIF and a ZIP file and the image will display while you can also unzip the GIF!

# Concatenate a legit GIF with a secret ZIP file!
$ cat bitcoin.gif >> bitcoinsecret.gif
$ cat secret.txt.zip >> bitcoinsecret.gif

# When you unzip the file, the secret file is there!
$ unzip bitcoinsecret.gif

It's wild that you can concatenate an image and a ZIP file and the result is both extractable and displays properly in a browser!

The methods I've illustrated in the post are incredibly tame -- there are likely many other dubious ways to exploit images so that the average user doesn't know that they're vulnerable.  The ease with which you can add arbitrary information to an image should be unsettling -- the images, at face value, show no sign of modification, but the truth is that they can tell a different story to someone looking for that information!

Recent Features

  • By
    LightFace:  Facebook Lightbox for MooTools

    One of the web components I've always loved has been Facebook's modal dialog.  This "lightbox" isn't like others:  no dark overlay, no obnoxious animating to size, and it doesn't try to do "too much."  With Facebook's dialog in mind, I've created LightFace:  a Facebook lightbox...

  • By
    Create a CSS Cube

    CSS cubes really showcase what CSS has become over the years, evolving from simple color and dimension directives to a language capable of creating deep, creative visuals.  Add animation and you've got something really neat.  Unfortunately each CSS cube tutorial I've read is a bit...

Incredible Demos

  • By
    Ana Tudor’s Favorite CodePen Demos

    Cocoon I love canvas, I love interactive demos and I don't think I have ever been more impressed by somebody's work than when I discovered what Tiffany Rayside has created on CodePen. So I had to start off with one of her interactive canvas pens, even though...

  • By
    HTML5 Input Types Alternative

    As you may know, HTML5 has introduced several new input types: number, date, color, range, etc. The question is: should you start using these controls or not? As much as I want to say "Yes", I think they are not yet ready for any real life...

Discussion

  1. Hi, David,

    what you are describing here is known as Steganography:
    https://en.wikipedia.org/wiki/Steganography

    Of course, there are packages on npm for this: https://www.npmjs.com/search?q=steganography

    I haven’t looked into their implementation, yet.

    Cheers

    André

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!