0

I know that YouTube videos are processed by Google in order to prevent them from having any malware in them. But I was wondering, are image thumbnails processed in any way to prevent them, or at least, make it less likely that they contain browser or library exploits?

Because I believe that this would be possible, but I don't know if they do it or not. If they can process the videos, then they should be able to process the images too.

2 Answers2

3

They can, but it is VERY unlikely.

Since both Youtube videos and images go tru multiple stages of cutting, converting to other formats etc. it's very unlikely that your exploit would be kept in such environment. Best it could do is hijack one of Google's converters where it would probably easily raise some red flags on intrusion detection systems.

Even assuming your exploit would be able to survive such changes (which is basically impossible), then it would be subjected to many different OSes, web-browsers etc. It is very likely that many of configurations would detect something bad with your image, so most systems wouldn't play this video/wouldn't display this image, possibly even detect that exploit (because antiviruses, incompatible OS, EMET etc.). This again would raise some red flags, most likely before that video was seen by many people. And your impossible exploit would be ruined.

And that's exactly why most exploits are kept for valuable targets - it's very easy for them to be found in so diverse environment that Internet certainly is. And then they quickly become useless, because most of users who were vulnerable quickly update.

axapaxa
  • 201
  • 1
  • 6
-2

I imagine a company like Google/YouTube takes proper/standard security measures with all uploads/files. If there was an oversight in this malware via thumbnails would have been targeted long ago.

While I don't know the particular procedures they take the resampling of the image, verifying it is an image, and removal of meta data is typically enough to stop an image attack. It would prove more difficult for screencaps/thumbnails generated directly from the video. Despite the possibility of an attack through an image it is actually an extremely hard and unlikely one. Not only is Google doing their part but they are serving basically a data buffer to the browser renderer. At this point it is the browser's job to prevent further exploits. You would be hard pressed to find such exploits especially in recent years.

So while it isn't completely 100% impossible my answer to this question is highly unlikely.

James Cameron
  • 598
  • 2
  • 11
Bacon Brad
  • 3,340
  • 19
  • 26
  • 1
    I agree with your conclusion but I think your arguments are really poor. Assuming a company has proper security measures without knowing is a really bad advise. Furthermore, the phrase "If there was an oversight in this malware via thumbnails would of been targeted long ago" simply cringes me, the ImageTragick exploit is too recent and was an attack vector really close to what OP is asking – Mr. E Sep 19 '16 at 20:52
  • As a rule of thumb: Don't start a sentence on SE with "I imagine". Either you know and you respond, or you don't. – James Cameron Sep 19 '16 at 20:57
  • @JamesCameron Unless someone from Google is here posting then we couldn't know. With this statement we should downvote the OP for asking an impossible to answer question then? I think the answer was given to the best of my ability with the known conditions. And the same gist/conclusion matched that of the accepted answer. You simply docked me for the way I phrased it. – Bacon Brad Sep 19 '16 at 21:04
  • @baconface You kind of can, as the thumbnails get converted and resized before being uploaded. This can easily be checked on YouTube itself. This information alone would remove most "i guess" from your answer. No intention of docking you anyways, i was just trying to point out that this uncertain "style" makes your points look less valid to people. – James Cameron Sep 19 '16 at 21:09