At one point, while browsing facebook pictures, I noticed the telltale sign of bitmaps loading (they display from the bottom up). Sure enough, the pictures were about 400KB each. They may have been labeled as JPGs, but they were actually BMPs. I found this odd because to upload pictures to facebook, they all run through the Java uploader and are resized. Except, I realized, maybe the Java uploader simply checks the dimensions and only resizes and recompresses if necessary. If someone made a bitmap that was within the maximum allowable dimensions for facebook, with a misleading JPG extension, the uploader might simply pass it through. Therefore, it may be very easy to hide information within facebook photos without anyone being the wiser.
I was talking to Jeff about this possibility, and he whipped up a test file. As it turned out, I was mostly correct…we could upload large amounts of data hidden within a normal looking image. There is a limit, though: facebook only supported file sizes up to 3.25 MB in our practice. This is a good thing, as there could be some nefarious happenings if it weren’t capped. But it is a proof of concept: You can hide data in facebook images and have it covertly available. This is known as Steganography, defined by Wikipedia as “the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message.” And now you know…sometimes there’s more than meets the eye.
All content ?2007 Tony Magri
