Take a look at your Facebook photo. Seems innocent enough, right? Well, what if behind the photo, hidden in kilobytes of data and totally invisible, was a list of all your passwords and even your credit card number?
It’s terrifying — and as with most advanced computer hacking techniques, it’s entirely possible.
Researchers from the University of Illinois at Urbana-Champaign and the Indraprastha Institute of Information Technology in New Delhi, India designed Stegobot, a proof-of-concept botnet that attaches to Facebook profiles, and more specifically, and dangerously, steals victims’ confidential information, such as online banking and email passwords, through their Facebook pictures.
The researchers developed Stegobot to show how easy it would be for a hacker to use Facebook photos to sneakily spread large-scale online attacks.
After gaining access to computers though the usual channels — infected attachments or redirects to malware-laden websites — Stegobot employs the technique of steganography to hide data in picture files without altering the picture’s appearance, NewScientist explained.
That means the photo of you and your friends on the beach might be more revealing than you’d hoped.
It’s possible, if Stegobot got its hands on it, that the traditional 720 by 720 pixel image could be harboring 50 kilobytes of data — plenty of space to hide and “transmit any passwords or credit cad numbers that Stegobot might find on your hard drive,” NewScientist wrote.
As if the prospect of a computer harvesting your private financial data through your Facebook pictures wasn’t scary enough, Stegobot can lurk in the shadows of your pictures and covertly infect all your Facebook friends.
After the botnet hides your personal information in a photo and a friend views your Facebook page, their computer becomes infected. They don’t even have to click on the corrupted photo for Stegobot to go to work.
From there, the masses of stolen data makes their way back to the botnet operator, who can extract the payload from each picture and can use it in whatever devious manner he wishes.
Thankfully, Stegobot only exists in a lab. For now.