Security experts at Trustwave observed threat actors using a rare
The Exchangeable image file format is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.
According to ThreatPost that first reported the news, attackers could exploit the
Karl Sigler, a security research manager at Trustwave SpiderLabs, confirmed that the attack works also works on fully patched websites. He explained that attackers leverage PHP function to parse EXIF data of images. The good news for attackers is that the function that allows parsing the EXIF- headers is usually pre-installed in several website tools and plugins.
The attacker only needs to upload a specially crafted image on the target site and trigger the hidden code in the EXIF headers.
“It’s likely that a website offers the ability to upload images and also has an existing PHP file that allows the site to parse out the EXIF data,” Sigler explained. “In that situation, it would be a matter of uploading the malicious image and triggering the hidden PHP code in the EXIF by using the existing PHP file that the website uses to read that EXIF data. It’s simply a matter of finding a website with one that allows the attacker to point it at their malicious uploaded data.”
“However, if you do have everything patched and there’s no low-hanging fruit for the attacker in terms of compromising a site, this is a little more advanced of a technique that can get you in.”
Experts suggest to scan for PHP tags in image files and disabling image uploads if they are not necessary.
(SecurityAffairs – steganography technique, GDPR)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.