Questions tagged [image]

For files or formats containing a digital representation of a graphical picture. Not to be confused with [disk-image] or forensic images.

In the infosec space, "image" refers to graphical pictures and their file formats such as jpeg, png, svg, etc.

On-topic security questions include but are not limited to:

  • confidentiality or privacy issues associated with images,
  • arbitrary-code-execution vulnerabilities in media libraries,
  • etc
97 questions
205
votes
6 answers

How secure is 'blacking out' sensitive information using MS Paint?

I'm wondering if it's safe to black out sensitive information from a picture just by using Microsoft Paint? Let's take in this scenario that EXIF data are stripped and there is no thumbnail picture, so that no data can be leaked in such a way. But…
Mirsad
  • 10,005
  • 8
  • 33
  • 53
143
votes
8 answers

Secure way of masking out sensitive information in screenshots?

As a guy working in security/pentest, I regularly take screenshots of exposed passwords/sensitive information. Whenever I report these, I mask parts or complete info as in the sample given below I often wonder, is it possible for someone to…
xandfury
  • 1,351
  • 3
  • 10
  • 19
98
votes
4 answers

What aspects of image preparation workflows can lead to accidents like Boris Johnson's No. 10 tweet's 'hidden message'?

The BBC reports that the image Boris Johson posted on Twitter to congratulate Joe Biden contains traces of the text "Trump" in the background. The BBC article links to a Guido Fawkes' article, and when I download the tweet's JPEG, convert to PNG…
uhoh
  • 1,385
  • 1
  • 11
  • 21
75
votes
5 answers

Detecting steganography in images

I recently came across an odd JPEG file: Resolution 400x600 and a filesize of 2.9 MB. I got suspicious and suspected that there is some additional information hidden. I tried some straight forward things: open the file with some archive tools; tried…
Chris
  • 905
  • 1
  • 6
  • 8
57
votes
9 answers

Can malware be attached to an image?

I have a small number of employees who use a company computer but these people aren't very tech-savvy. They use an email client and a messaging client. I'm pretty sure they wouldn't click on a .exe or .zip file in an email without thinking, and I…
user2143356
  • 733
  • 1
  • 5
  • 7
42
votes
3 answers

Can you recover original data from a screenshot that has been 'blacked out'?

Is there a threat from screenshots with blacked out info? That is can someone take out that aftermarket addition so to speak? For instance I take a screenshot (using MS snipper) Then I 'blur/blackout' some info Is the picture above vulnerable to…
Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
32
votes
7 answers

If I know the CPU architecture of a target, can I send instructions embedded in an image?

Can I send instructions embedded in an image to a target, if I know his CPU architecture?
Faminha102
  • 545
  • 1
  • 5
  • 8
29
votes
5 answers

Find Virus in an Image File

I just received a .jpg file that I'm almost positive contains a virus, so I have two questions about what I am able to do with the image. My first question originates from the fact that I opened the file once and the program I used to open it gave…
kmecpp
  • 401
  • 1
  • 4
  • 7
14
votes
1 answer

JPEG artifacts leaking information about redacted contents

It was mentioned that JPEG should not be used between image creation and redaction of sensitive contents, because compression artifacts around the redacted area may leak information. Given how this lossy format works, this makes sense. Is there any…
forest
  • 64,616
  • 20
  • 206
  • 257
12
votes
2 answers

How to prevent XSS in SVG file upload?

Currently assessing an application, I found out that it is possible to submit an SVG file containing JavaScript (the app is also vulnerable to XXE). I wondered if there was a method to prevent those vulnerabilities and secure the SVG submission…
Nokosi Pow
  • 131
  • 1
  • 4
9
votes
2 answers

Is there a way to execute XSS in an HTML img tag with SVG?

Is there a working technique to execute XSS in modern browsers using a SVG file displayed on a web page with an tag? I know a way to execute without